I need to escape entire javascript code block using escape() compatible function via PHP, and then put resulting JavaScript code back into a code construct like this:
document.write(unescape(ESCAPED_JS));
I'm not trying to increase security by doing this, protect code, or anything like that. Just to make it a bit harder to glance over a code and see what it does.
Does anyone have a working solution for this, or idea how to do it? The only reference I found about it is on this page, but it only deals with unescaping JS-escaped string using PHP, but by taking special care of UTF-8 characters (which I also need to consider).
escape is not a standard function. Better use encodeURIComponent or JSON instead.
Gumbo is right (as always), but I think rawurlencode and rawurldecode are the php equivalents of js escape and unescape
You should be able to use urlencode and urldecode to do this.
http://php.net/manual/en/function.urlencode.php
Related
I don't understand why we need to use the esc_url if I myself am the one who actually wrote the URL like:
echo get_template_directory_url . '/someText'
Although the /someText is hardcoded but I know it's clean and safe because I wrote it. What are the circumstances that this will be unsafe (like how do bad guys do bad things when I don't use the esc_url in this case? Do they hack into the server? If they can really hack into the server, they won't even bother the esc_url already?
I have referred to https://stackoverflow.com/a/30583251/19507498 , but he just explain how we use it without explaining why we need it.
The purpose of this function is to replace spaces and special characters with their encoded url pendants. For example will be replace with %20. This is needed, because spaces and some other special characters like umlauts or ß are not allowed in urls.
EDIT:
Furthermore ? and & need to be encoded, because those have special meanings in urls.
I'm working on php with a book now. The book said I should be careful using superglobal variables, so it's better to use htmlentities like this.
$came_from = htmlentities($_SERVER['HTTP_REFERER']);
So, I wrote a code like this;
<?php
$came_from=htmlentities($_SERVER['HTTP_REFERER']);
echo $came_from;
?>
However, the display of the code above was the same without htmlentities(); It didn't change anything at all. I thought that it would change \ into something else. Did I use it wrong?
So, by default, htmlentities() encodes characters using ENT_COMPAT (converts double-quotes and leave single-quotes alone) and ENT_HTML401. Seeing as the backslash isn't part of the HTML 4.01 entity spec (as far as I can see anyway), it won't be converted.
If you specify the ENT_HTML5 flag, you get a different result
php > echo htmlentities('abc\123');
abc\123
php > echo htmlentities('abc\123', ENT_HTML5);
abc\123
This is because backslash is part of the HTML5 spec. See http://dev.w3.org/html5/html-author/charref
Sorry. My previous answer was absolutely wrong. I was confused with something else. My apologise. Let me refrain my answer:
htmlentities will convert special characters into their HTML entity. "<" for example will be converted to "<". Your browser will automaticly recognise this HTML entity and decode it back to "<". So you won't notice any difference.
The reason for this is to prevent problems when saving your document in something different then UTF-8 encoding. Any characters not encoded might become screwed up for this reason.
I'm using parse_str to get a raw value from a URL (which is obviously entered by the user), and I'm wondering if there's anything I should to to make it safe before I use it (i.e. convert special characters like '<').
I noticed that the function does remove some characters, but I couldn't find the specifics anywhere.
Thanks.
You can use htmlentities() and then parse_str() or parse_url() function
I have a text field where where the user can pass wild cards - more specific to the question they can use '%' character.
I am using ajax to get the value and send it to a PHP file. If I enter '%BA' in the text file and retrieve the value using
document.getElementById('textfield').value
This actually gets '%BA'. I am using POST method to send it to a PHP file. But the variable displays as "�" in the web browser and inserts " ° - degree small o" in the database.
I am sure there are other cases that I am not aware of as well. Is there a function in PHP to escape the special characters or any other way to get the exact string?
Edit: This may be a guess but doing escape(document.getElementById('textfield').value) to send the value and using urldecode($values[3]) to retrieve the value doesn't work. Maybe it's a js to PHP problem.
Update: urldecode will not work. Read the first comment in urldecode. Used the function there. Solved.
while passing the value using ajax , you just encode the value with encodeURIComponent() function and use urldecode() function to decode it in the php file. This might solve the issue.
You could encode the characters with urlencode (and maybe htmlspecialchars too) before storing it in the database, and use urldecode ( and maybe htmlspecialchars_decode) to decode them before displaying to the user.
You can use escape in javascript i.e.
escape(document.getElementById('val'))
I'm having problems passing utf-8 strings to javascript (ajax). Currently i'm using rawurlencode on the PHP side and unescape on the javascript side.
The problem is in latin and rawurlencode doesn't support it fully.
Is there any alternative or any better option?
The solution was in json_encode functions. The problems stopped when i added JSON_HEX_APOS|JSON_HEX_QUOT.
Thanks!
use json_encode in PHP and receive responses as JSON (jQuery is helpful)
ajax is sent in utf-8 by default, so You just have to return utf-8
php's utf8_encode(data) gets an ISO-8859-1 string as the data argument.
need more suggestions? Tell me where You get the text from ;)
From experience, Javascript's escape() (ant thus unescape()) are not Unicode (UTF-8) friendly. Use encodeURIComponent() and decodeURIComponent() instead.
Anyway, as the docs says:
The escape() function should not be
used to encode URIs.
If php is doing the encoding and js decoding whay not simply not encode in php and encode in js as well? Not really an answer so much as a work around i guess.