From 872f4f3ec515cff702baedfa35a638d491db9cea Mon Sep 17 00:00:00 2001 From: "John Paul E. Balandan, CPA" Date: Wed, 7 May 2025 20:52:10 +0800 Subject: [PATCH] chore: bump to laminas-escaper v2.17 --- system/ThirdParty/Escaper/Escaper.php | 44 ++------------ .../ThirdParty/Escaper/EscaperInterface.php | 58 +++++++++++++++++++ 2 files changed, 64 insertions(+), 38 deletions(-) create mode 100644 system/ThirdParty/Escaper/EscaperInterface.php diff --git a/system/ThirdParty/Escaper/Escaper.php b/system/ThirdParty/Escaper/Escaper.php index 4fce36bd0c6c..39d9b0b1cdac 100644 --- a/system/ThirdParty/Escaper/Escaper.php +++ b/system/ThirdParty/Escaper/Escaper.php @@ -30,7 +30,7 @@ * * @final */ -class Escaper +class Escaper implements EscaperInterface { /** * Entity Map mapping Unicode codepoints to any available named HTML entities. @@ -183,24 +183,13 @@ public function getEncoding() return $this->encoding; } - /** - * Escape a string for the HTML Body context where there are very few characters - * of special meaning. Internally this will use htmlspecialchars(). - * - * @return ($string is non-empty-string ? non-empty-string : string) - */ + /** @inheritDoc */ public function escapeHtml(string $string) { return htmlspecialchars($string, $this->htmlSpecialCharsFlags, $this->encoding); } - /** - * Escape a string for the HTML Attribute context. We use an extended set of characters - * to escape that are not covered by htmlspecialchars() to cover cases where an attribute - * might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE). - * - * @return ($string is non-empty-string ? non-empty-string : string) - */ + /** @inheritDoc */ public function escapeHtmlAttr(string $string) { $string = $this->toUtf8($string); @@ -214,17 +203,7 @@ public function escapeHtmlAttr(string $string) return $this->fromUtf8($result); } - /** - * Escape a string for the Javascript context. This does not use json_encode(). An extended - * set of characters are escaped beyond ECMAScript's rules for Javascript literal string - * escaping in order to prevent misinterpretation of Javascript as HTML leading to the - * injection of special characters and entities. The escaping used should be tolerant - * of cases where HTML escaping was not applied on top of Javascript escaping correctly. - * Backslash escaping is not used as it still leaves the escaped character as-is and so - * is not useful in a HTML context. - * - * @return ($string is non-empty-string ? non-empty-string : string) - */ + /** @inheritDoc */ public function escapeJs(string $string) { $string = $this->toUtf8($string); @@ -238,24 +217,13 @@ public function escapeJs(string $string) return $this->fromUtf8($result); } - /** - * Escape a string for the URI or Parameter contexts. This should not be used to escape - * an entire URI - only a subcomponent being inserted. The function is a simple proxy - * to rawurlencode() which now implements RFC 3986 since PHP 5.3 completely. - * - * @return ($string is non-empty-string ? non-empty-string : string) - */ + /** @inheritDoc */ public function escapeUrl(string $string) { return rawurlencode($string); } - /** - * Escape a string for the CSS context. CSS escaping can be applied to any string being - * inserted into CSS and escapes everything except alphanumerics. - * - * @return ($string is non-empty-string ? non-empty-string : string) - */ + /** @inheritDoc */ public function escapeCss(string $string) { $string = $this->toUtf8($string); diff --git a/system/ThirdParty/Escaper/EscaperInterface.php b/system/ThirdParty/Escaper/EscaperInterface.php new file mode 100644 index 000000000000..3930db88ac01 --- /dev/null +++ b/system/ThirdParty/Escaper/EscaperInterface.php @@ -0,0 +1,58 @@ +