dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Make it show email as required if you choose to email a random password.
[lhc/web/wiklou.git] / includes / json / FormatJson.php
1 <?php
2 /**
3 * Wrapper for json_encode and json_decode.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 */
22
23 /**
24 * JSON formatter wrapper class
25 */
26 class FormatJson {
27
28 /**
29 * Skip escaping most characters above U+007F for readability and compactness.
30 * This encoding option saves 3 to 8 bytes (uncompressed) for each such character;
31 * however, it could break compatibility with systems that incorrectly handle UTF-8.
32 *
33 * @since 1.21
34 */
35 const UTF8_OK = 1;
36
37 /**
38 * Skip escaping the characters '<', '>', and '&', which have special meanings in
39 * HTML and XML.
40 *
41 * @warning Do not use this option for JSON that could end up in inline scripts.
42 * - HTML5, §4.3.1.2 Restrictions for contents of script elements
43 * - XML 1.0 (5th Ed.), §2.4 Character Data and Markup
44 *
45 * @since 1.21
46 */
47 const XMLMETA_OK = 2;
48
49 /**
50 * Skip escaping as many characters as reasonably possible.
51 *
52 * @warning When generating inline script blocks, use FormatJson::UTF8_OK instead.
53 *
54 * @since 1.21
55 */
56 const ALL_OK = 3;
57
58 /**
59 * Characters problematic in JavaScript.
60 *
61 * @note These are listed in ECMA-262 (5.1 Ed.), §7.3 Line Terminators along with U+000A (LF)
62 * and U+000D (CR). However, PHP already escapes LF and CR according to RFC 4627.
63 */
64 private static $badChars = array(
65 "\xe2\x80\xa8", // U+2028 LINE SEPARATOR
66 "\xe2\x80\xa9", // U+2029 PARAGRAPH SEPARATOR
67 );
68
69 /**
70 * Escape sequences for characters listed in FormatJson::$badChars.
71 */
72 private static $badCharsEscaped = array(
73 '\u2028', // U+2028 LINE SEPARATOR
74 '\u2029', // U+2029 PARAGRAPH SEPARATOR
75 );
76
77 /**
78 * Returns the JSON representation of a value.
79 *
80 * @note Empty arrays are encoded as numeric arrays, not as objects, so cast any associative
81 * array that might be empty to an object before encoding it.
82 *
83 * @note In pre-1.21 versions of MediaWiki, using this function for generating inline script
84 * blocks may result in an XSS vulnerability, and quite likely will in XML documents
85 * (cf. FormatJson::XMLMETA_OK). Use Xml::encodeJsVar() instead in such cases.
86 *
87 * @param mixed $value The value to encode. Can be any type except a resource.
88 * @param bool $pretty If true, add non-significant whitespace to improve readability.
89 * @param int $escaping Bitfield consisting of _OK class constants
90 * @return string|bool: String if successful; false upon failure
91 */
92 public static function encode( $value, $pretty = false, $escaping = 0 ) {
93 if ( version_compare( PHP_VERSION, '5.4.0', '<' ) ) {
94 return self::encode53( $value, $pretty, $escaping );
95 }
96 return self::encode54( $value, $pretty, $escaping );
97 }
98
99 /**
100 * Decodes a JSON string.
101 *
102 * @param string $value The JSON string being decoded
103 * @param bool $assoc When true, returned objects will be converted into associative arrays.
104 *
105 * @return mixed: the value encoded in JSON in appropriate PHP type.
106 * Values `"true"`, `"false"`, and `"null"` (case-insensitive) are returned as `true`, `false`
107 * and `null` respectively. `null` is returned if the JSON cannot be
108 * decoded or if the encoded data is deeper than the recursion limit.
109 */
110 public static function decode( $value, $assoc = false ) {
111 return json_decode( $value, $assoc );
112 }
113
114 /**
115 * JSON encoder wrapper for PHP >= 5.4, which supports useful encoding options.
116 *
117 * @param mixed $value
118 * @param bool $pretty
119 * @param int $escaping
120 * @return string|bool
121 */
122 private static function encode54( $value, $pretty, $escaping ) {
123 // PHP escapes '/' to prevent breaking out of inline script blocks using '</script>',
124 // which is hardly useful when '<' and '>' are escaped, and such escaping negatively
125 // impacts the human readability of URLs and similar strings.
126 $options = JSON_UNESCAPED_SLASHES;
127 $options |= $pretty ? JSON_PRETTY_PRINT : 0;
128 $options |= ( $escaping & self::UTF8_OK ) ? JSON_UNESCAPED_UNICODE : 0;
129 $options |= ( $escaping & self::XMLMETA_OK ) ? 0 : ( JSON_HEX_TAG | JSON_HEX_AMP );
130 $json = json_encode( $value, $options );
131 if ( $json === false ) {
132 return false;
133 }
134 if ( $escaping & self::UTF8_OK ) {
135 $json = str_replace( self::$badChars, self::$badCharsEscaped, $json );
136 }
137 return $json;
138 }
139
140 /**
141 * JSON encoder wrapper for PHP 5.3, which lacks native support for some encoding options.
142 * Therefore, the missing options are implemented here purely in PHP code.
143 *
144 * @param mixed $value
145 * @param bool $pretty
146 * @param int $escaping
147 * @return string|bool
148 */
149 private static function encode53( $value, $pretty, $escaping ) {
150 $options = ( $escaping & self::XMLMETA_OK ) ? 0 : ( JSON_HEX_TAG | JSON_HEX_AMP );
151 $json = json_encode( $value, $options );
152 if ( $json === false ) {
153 return false;
154 }
155 $json = str_replace( '\\/', '/', $json ); // emulate JSON_UNESCAPED_SLASHES
156 if ( $escaping & self::UTF8_OK ) {
157 // JSON hex escape sequences follow the format \uDDDD, where DDDD is four hex digits
158 // indicating the equivalent UTF-16 code unit's value. To most efficiently unescape
159 // them, we exploit the JSON extension's built-in decoder.
160 // * We escape the input a second time, so any such sequence becomes \\uDDDD.
161 // * To avoid interpreting escape sequences that were in the original input,
162 // each double-escaped backslash (\\\\) is replaced with \\\u005c.
163 // * We strip one of the backslashes from each of the escape sequences to unescape.
164 // * Then the JSON decoder can perform the actual unescaping.
165 $json = str_replace( "\\\\\\\\", "\\\\\\u005c", addcslashes( $json, '\"' ) );
166 $json = json_decode( preg_replace( "/\\\\\\\\u(?!00[0-7])/", "\\\\u", "\"$json\"" ) );
167 $json = str_replace( self::$badChars, self::$badCharsEscaped, $json );
168 }
169 return $pretty ? self::prettyPrint( $json ) : $json;
170 }
171
172 /**
173 * Adds non-significant whitespace to an existing JSON representation of an object.
174 * Only needed for PHP < 5.4, which lacks the JSON_PRETTY_PRINT option.
175 *
176 * @param string $json
177 * @return string
178 */
179 private static function prettyPrint( $json ) {
180 $buf = '';
181 $indent = 0;
182 $json = strtr( $json, array( '\\\\' => '\\\\', '\"' => "\x01" ) );
183 for ( $i = 0, $n = strlen( $json ); $i < $n; $i += $skip ) {
184 $skip = 1;
185 switch ( $json[$i] ) {
186 case ':':
187 $buf .= ': ';
188 break;
189 case '[':
190 case '{':
191 $indent++; // falls through
192 case ',':
193 $buf .= $json[$i] . "\n" . str_repeat( ' ', $indent );
194 break;
195 case ']':
196 case '}':
197 $indent--;
198 $buf .= "\n" . str_repeat( ' ', $indent ) . $json[$i];
199 break;
200 case '"':
201 $skip = strcspn( $json, '"', $i + 1 ) + 2;
202 $buf .= substr( $json, $i, $skip );
203 break;
204 default:
205 $skip = strcspn( $json, ',]}"', $i + 1 ) + 1;
206 $buf .= substr( $json, $i, $skip );
207 }
208 }
209 return str_replace( "\x01", '\"', preg_replace( '/ +$/m', '', $buf ) );
210 }
211 }
Wiklou, le Wiki du Wiklou