From 6d75c0afafccd130bbc5602f98afdab4dfa7b96e Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Wed, 2 Aug 2006 10:15:56 +0000
Subject: [PATCH] added PMA_escapeJsString() to escape strings for JavaScript
 inside CDATA blocks

---
 ChangeLog                |  2 ++
 libraries/common.lib.php | 35 ++++++++++++++++++++++++++++-------
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3bf2ba7a4..bb899baab 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,8 @@ $Source$
       added variables to define (text) color for marked and hovered objects
       thanks to Juergen Wind - windkiel for hinting this bug (patch #1503529)
     * Documentation.html: updated style config option descriptions
+    * libraries/common.lib.php: added PMA_escapeJsString() to escape strings for
+      JavaScript inside CDATA blocks
 
 2006-08-01 Marc Delisle  <lem9@users.sourceforge.net>
     * Documentation.html: patch #1532493 + light editing from me,
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 8a9edc3b3..1a16fe93f 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -1317,12 +1317,18 @@ if (!defined('PMA_MINIMUM_COMMON')) {
 
 
     /**
-     * Format a string so it can be passed to a javascript function.
+     * Format a string so it can be a string inside JavaScript code inside an
+     * eventhandler (onclick, onchange, on..., ).
      * This function is used to displays a javascript confirmation box for
      * "DROP/DELETE/ALTER" queries.
      *
-     * @param   string   the string to format
-     * @param   boolean  whether to add backquotes to the string or not
+     * @uses    PMA_escapeJsString()
+     * @uses    PMA_backquote()
+     * @uses    is_string()
+     * @uses    htmlspecialchars()
+     * @uses    str_replace()
+     * @param   string   $a_string          the string to format
+     * @param   boolean  $add_backquotes    whether to add backquotes to the string or not
      *
      * @return  string   the formated string
      *
@@ -1332,16 +1338,31 @@ if (!defined('PMA_MINIMUM_COMMON')) {
     {
         if (is_string($a_string)) {
             $a_string = htmlspecialchars($a_string);
-            $a_string = str_replace('\\', '\\\\', $a_string);
-            $a_string = str_replace('\'', '\\\'', $a_string);
+            $a_string = PMA_escapeJsString($a_string);
+            // TODO: what is this good for?
             $a_string = str_replace('#', '\\#', $a_string);
-            $a_string = str_replace("\012", '\n', $a_string);
-            $a_string = str_replace("\015", '\r', $a_string);
         }
 
         return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
     } // end of the 'PMA_jsFormat()' function
 
+    /**
+     * escapes a string to be inserted as string a JavaScript block
+     * enclosed by <![CDATA[ ... ]]>
+     * this requires only to escape ' with \'
+     *
+     * @uses    str_replace()
+     * @param   string  $string the string to be escaped
+     * @return  string  the escaped string
+     */
+    function PMA_escapeJsString($string)
+    {
+        $string = str_replace('\\', '\\\\', $string);
+        $string = str_replace('\'', '\\\'', $string);
+        $string = str_replace("\012", '\n', $string);
+        $string = str_replace("\015", '\r', $string);
+        return $string;
+    }
 
     /**
      * Defines the <CR><LF> value depending on the user OS.