diff --git a/includes/common.inc b/includes/common.inc index b8cd55f..69a094a 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -4797,14 +4797,116 @@ function drupal_clear_js_cache() { /** * Converts a PHP variable into its JavaScript equivalent. * - * We use HTML-safe strings, i.e. with <, > and & escaped. + * We use HTML-safe strings, with several characters escaped. * * @see drupal_json_decode() - * @ingroup php_wrappers + * @see drupal_json_encode_helper() */ function drupal_json_encode($var) { - // json_encode() does not escape <, > and &, so we do it with str_replace(). - return str_replace(array('<', '>', '&'), array('\u003c', '\u003e', '\u0026'), json_encode($var)); + // We do not want to use drupal_static() since the PHP version will never + // change during a request. + static $php530; + + if (!isset($php530)) { + $php530 = version_compare(PHP_VERSION, '5.3.0', '>='); + } + + // json_encode on PHP prior to PHP 5.3.0 doesn't support options. + if ($php530) { + return json_encode($var, JSON_HEX_QUOT | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS); + } + return drupal_json_encode_helper($var); +} + +/** + * Helper for drupal_json_encode on PHP versions below 5.3.0. + * + * @see drupal_json_encode() + */ +function drupal_json_encode_helper($var) { + switch (gettype($var)) { + case 'boolean': + return $var ? 'true' : 'false'; // Lowercase necessary! + case 'integer': + case 'double': + return $var; + case 'resource': + case 'string': + // Always use Unicode escape sequences (\u0022) over JSON escape + // sequences (\") to prevent browsers interpreting these as + // special characters. + $replace_pairs = array( + // ", \ and U+0000 - U+001F must be escaped according to RFC 4627. + '\\' => '\u005C', + '"' => '\u0022', + "\x00" => '\u0000', + "\x01" => '\u0001', + "\x02" => '\u0002', + "\x03" => '\u0003', + "\x04" => '\u0004', + "\x05" => '\u0005', + "\x06" => '\u0006', + "\x07" => '\u0007', + "\x08" => '\u0008', + "\x09" => '\u0009', + "\x0a" => '\u000A', + "\x0b" => '\u000B', + "\x0c" => '\u000C', + "\x0d" => '\u000D', + "\x0e" => '\u000E', + "\x0f" => '\u000F', + "\x10" => '\u0010', + "\x11" => '\u0011', + "\x12" => '\u0012', + "\x13" => '\u0013', + "\x14" => '\u0014', + "\x15" => '\u0015', + "\x16" => '\u0016', + "\x17" => '\u0017', + "\x18" => '\u0018', + "\x19" => '\u0019', + "\x1a" => '\u001A', + "\x1b" => '\u001B', + "\x1c" => '\u001C', + "\x1d" => '\u001D', + "\x1e" => '\u001E', + "\x1f" => '\u001F', + // Prevent browsers from interpreting these as as special. + "'" => '\u0027', + '<' => '\u003C', + '>' => '\u003E', + '&' => '\u0026', + // Prevent browsers from interpreting the solidus as special and + // non-compliant JSON parsers from interpreting // as a comment. + '/' => '\u002F', + // While these are allowed unescaped according to ECMA-262, section + // 15.12.2, they cause problems in some JSON parser. + "\xe2\x80\xa8" => '\u2028', // U+2028, Line Separator. + "\xe2\x80\xa9" => '\u2029', // U+2029, Paragraph Separator. + ); + + return '"'. strtr($var, $replace_pairs) .'"'; + case 'array': + // Arrays in JSON can't be associative. If the array is empty or if it + // has sequential whole number keys starting with 0, it's not associative + // so we can go ahead and convert it as an array. + if (empty ($var) || array_keys($var) === range(0, sizeof($var) - 1)) { + $output = array(); + foreach ($var as $v) { + $output[] = drupal_json_encode_helper($v); + } + return '[ '. implode(', ', $output) .' ]'; + } + // Otherwise, fall through to convert the array as an object. + case 'object': + $output = array(); + foreach ($var as $k => $v) { + $output[] = drupal_json_encode_helper(strval($k)) .': '. drupal_json_encode_helper($v); + } + return '{ '. implode(', ', $output) .' }'; + default: + return 'null'; + } } /** diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test index 177e457..d822134 100644 --- a/modules/simpletest/tests/common.test +++ b/modules/simpletest/tests/common.test @@ -2317,8 +2317,8 @@ class DrupalJSONTest extends DrupalUnitTestCase { $str .= chr($i); } // Characters that must be escaped. - $html_unsafe = array('<', '>', '&'); - $html_unsafe_escaped = array('\u003c', '\u003e', '\u0026'); + $html_unsafe = array('<', '>', '\'', '&'); + $html_unsafe_escaped = array('\u003C', '\u003E', '\u0027', '\u0026'); // Verify there aren't character encoding problems with the source string. $this->assertIdentical(strlen($str), 128, t('A string with the full ASCII table has the correct length.')); @@ -2349,6 +2349,54 @@ class DrupalJSONTest extends DrupalUnitTestCase { $this->assertNotIdentical($source, $json, t('An array encoded in JSON is not identical to the source.')); $this->assertIdentical($source, $json_decoded, t('Encoding structured data to JSON and decoding back results in the original data.')); } + +/** + * Tests converting PHP variables to JSON strings and back. + * + * drupal_to_json selects between PHP's js_encode and our own JSON encoder + * based on PHP version. We need this test to keep coverage on clients on + * PHP 5.3 or higher. + */ + function testJSONHelper() { + // Setup a string with the full ASCII table. + // @todo: Add tests for non-ASCII characters and Unicode. + $str = ''; + for ($i=0; $i < 128; $i++) { + $str .= chr($i); + } + // Characters that must be escaped. + $html_unsafe = array('<', '>', '&'); + $html_unsafe_escaped = array('\u003C', '\u003E', '\u0026'); + + // Verify there aren't character encoding problems with the source string. + $this->assertIdentical(strlen($str), 128, t('A string with the full ASCII table has the correct length.')); + foreach ($html_unsafe as $char) { + $this->assertTrue(strpos($str, $char) > 0, t('A string with the full ASCII table includes @s.', array('@s' => $char))); + } + + // Verify that JSON encoding produces a string with all of the characters. + $json = drupal_json_encode_helper($str); + $this->assertTrue(strlen($json) > strlen($str), t('A JSON encoded string is larger than the source string.')); + + // Verify that encoding/decoding is reversible. + $json_decoded = drupal_json_decode($json); + $this->assertIdentical($str, $json_decoded, t('Encoding a string to JSON and decoding back results in the original string.')); + + // Verify reversibility for structured data. Also verify that necessary + // characters are escaped. + $source = array(TRUE, FALSE, 0, 1, '0', '1', $str, array('key1' => $str, 'key2' => array('nested' => TRUE))); + $json = drupal_json_encode_helper($source); + foreach ($html_unsafe as $char) { + $this->assertTrue(strpos($json, $char) === FALSE, t('A JSON encoded string does not contain @s.', array('@s' => $char))); + } + // Verify that JSON encoding escapes the HTML unsafe characters + foreach ($html_unsafe_escaped as $char) { + $this->assertTrue(strpos($json, $char) > 0, t('A JSON encoded string contains @s.', array('@s' => $char))); + } + $json_decoded = drupal_json_decode($json); + $this->assertNotIdentical($source, $json, t('An array encoded in JSON is not identical to the source.')); + $this->assertIdentical($source, $json_decoded, t('Encoding structured data to JSON and decoding back results in the original data.')); + } } /**