Comments on: Escaping JavaScript for PHP http://sixohthree.com/241/escaping The Weblog of Adam Backstrom Thu, 04 Mar 2010 19:43:03 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: JN http://sixohthree.com/241/escaping/comment-page-1#comment-3343 JN Fri, 13 Nov 2009 23:35:22 +0000 /?p=241#comment-3343 <code> function js_escape($str) {         for($i = 0, $l = strlen($str), $new_str=''; $i < $l; $i++)                 $new_str .= (ord(substr($str, $i, 1)) < 16 ? '\\x0' : '\\x')                         . dechex(ord(substr($str, $i, 1)));         return $new_str; } </code>
function js_escape($str) {
        for($i = 0, $l = strlen($str), $new_str=''; $i < $l; $i++)
                $new_str .= (ord(substr($str, $i, 1)) < 16 ? '\\x0' : '\\x')
                        . dechex(ord(substr($str, $i, 1)));
        return $new_str;
}

]]> By: Nightfly http://sixohthree.com/241/escaping/comment-page-1#comment-292 Nightfly Fri, 22 May 2009 22:06:54 +0000 /?p=241#comment-292 For super tidy string iteration, I always use this: for($i = 0, $l = strlen($str); $i < $l; $i++) {     $new_str .= ‘\\x’ . dechex(ord(substr($str, $i, 1))); } For super tidy string iteration, I always use this:

for($i = 0, $l = strlen($str); $i < $l; $i++) {
    $new_str .= ‘\\x’ . dechex(ord(substr($str, $i, 1)));
}

]]> By: Adam Backstrom http://sixohthree.com/241/escaping/comment-page-1#comment-291 Adam Backstrom Thu, 31 Jul 2008 20:56:45 +0000 /?p=241#comment-291 tedivm: good point. I've updated the post to reflect your suggestion. tedivm: good point. I’ve updated the post to reflect your suggestion.

]]> By: tedivm http://sixohthree.com/241/escaping/comment-page-1#comment-289 tedivm Thu, 31 Jul 2008 18:17:39 +0000 /?p=241#comment-289 You should take the "strlen($str)" check and put it outside of the for loop. The reason is that function calls use up a lot more resources than simple variable checks, and where the strlen function currently is it will be called for each interation of the loop (so if the string has a length of 50, that function will be called fifty times). $strLen = strlen($str); for($i = 0; $i < $strLen; $i++) {     $new_str .= '\\x' . dechex(ord(substr($str, $i, 1))); } You should take the “strlen($str)” check and put it outside of the for loop. The reason is that function calls use up a lot more resources than simple variable checks, and where the strlen function currently is it will be called for each interation of the loop (so if the string has a length of 50, that function will be called fifty times).

$strLen = strlen($str);
for($i = 0; $i < $strLen; $i++) {
    $new_str .= ‘\\x’ . dechex(ord(substr($str, $i, 1)));
}

]]> By: Pascal http://sixohthree.com/241/escaping/comment-page-1#comment-290 Pascal Thu, 31 Jul 2008 13:23:12 +0000 /?p=241#comment-290 I see. And I guess using htmlentities(strip_tags($myVar)) would break the javascript. Good script then. I see. And I guess using htmlentities(strip_tags($myVar)) would break the javascript. Good script then.

]]> By: Adam Backstrom http://sixohthree.com/241/escaping/comment-page-1#comment-288 Adam Backstrom Thu, 31 Jul 2008 12:41:44 +0000 /?p=241#comment-288 Pascal, Here's an example of <a href="http://static.bwerp.net/~adam/2008/07/31/js.php" rel="nofollow">addslashes() allowing XSS</a>. It's not sufficient to block all hack attempts. That page will load off-domain JavaScript in Firefox 3.0.1, Opera 9.51, Safari 3.1.2, and Internet Explorer 7.0.6001.18000. Pascal,

Here’s an example of addslashes() allowing XSS. It’s not sufficient to block all hack attempts. That page will load off-domain JavaScript in Firefox 3.0.1, Opera 9.51, Safari 3.1.2, and Internet Explorer 7.0.6001.18000.

]]> By: Pascal http://sixohthree.com/241/escaping/comment-page-1#comment-287 Pascal Thu, 31 Jul 2008 01:38:45 +0000 /?p=241#comment-287 Why not just use addslashes($myvar)? Why not just use addslashes($myvar)?

]]> By: Jake Cebula http://sixohthree.com/241/escaping/comment-page-1#comment-284 Jake Cebula Fri, 09 May 2008 01:33:57 +0000 /?p=241#comment-284 Guess who stumbled upon this useful post :) Not the first time you've helped me out, old friend. Thanks! Guess who stumbled upon this useful post :) Not the first time you’ve helped me out, old friend. Thanks!

]]> By: Blech http://sixohthree.com/241/escaping/comment-page-1#comment-285 Blech Fri, 25 Apr 2008 16:52:07 +0000 /?p=241#comment-285 This one handles newlines and tabs. ^ There should be a preview button here! This one handles newlines and tabs. ^ There should be a preview button here!

]]> By: Blech http://sixohthree.com/241/escaping/comment-page-1#comment-286 Blech Fri, 25 Apr 2008 16:50:25 +0000 /?p=241#comment-286 <blockquote cite="This one handles tabs and newlines"> function javascript_escape($str) {     $new_str = '';     for($i = 0; $i < strlen($str); $i++) {         $val = ord(substr($str, $i, 1));         $prefix = $val < 16 ? '\\x0' : '\\x';         $new_str .= $prefix . dechex($val);     }     return $new_str; } </blockquote>

function javascript_escape($str) {
    $new_str = ”;

    for($i = 0; $i < strlen($str); $i++) {
        $val = ord(substr($str, $i, 1));
        $prefix = $val < 16 ? ‘\\x0′ : ‘\\x’;
        $new_str .= $prefix . dechex($val);
    }

    return $new_str;
}

]]>