includes/json/FormatJson.php

   1 <?php
   2 /**
   3  * Wrapper for json_encode and json_decode.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 /**
  24  * JSON formatter wrapper class
  25  */
  26 class FormatJson {
  27
  28         /**
  29          * Skip escaping most characters above U+007F for readability and compactness.
  30          * This encoding option saves 3 to 8 bytes (uncompressed) for each such character;
  31          * however, it could break compatibility with systems that incorrectly handle UTF-8.
  32          *
  33          * @since 1.22
  34          */
  35         const UTF8_OK = 1;
  36
  37         /**
  38          * Skip escaping the characters '<', '>', and '&', which have special meanings in
  39          * HTML and XML.
  40          *
  41          * @warning Do not use this option for JSON that could end up in inline scripts.
  42          * - HTML5, §4.3.1.2 Restrictions for contents of script elements
  43          * - XML 1.0 (5th Ed.), §2.4 Character Data and Markup
  44          *
  45          * @since 1.22
  46          */
  47         const XMLMETA_OK = 2;
  48
  49         /**
  50          * Skip escaping as many characters as reasonably possible.
  51          *
  52          * @warning When generating inline script blocks, use FormatJson::UTF8_OK instead.
  53          *
  54          * @since 1.22
  55          */
  56         const ALL_OK = 3;
  57
  58         /**
  59          * Regex that matches whitespace inside empty arrays and objects.
  60          *
  61          * This doesn't affect regular strings inside the JSON because those can't
  62          * have a real line break (\n) in them, at this point they are already escaped
  63          * as the string "\n" which this doesn't match.
  64          *
  65          * @private
  66          */
  67         const WS_CLEANUP_REGEX = '/(?<=[\[{])\n\s*+(?=[\]}])/';
  68
  69         /**
  70          * Characters problematic in JavaScript.
  71          *
  72          * @note These are listed in ECMA-262 (5.1 Ed.), §7.3 Line Terminators along with U+000A (LF)
  73          *       and U+000D (CR). However, PHP already escapes LF and CR according to RFC 4627.
  74          */
  75         private static $badChars = array(
  76                 "\xe2\x80\xa8", // U+2028 LINE SEPARATOR
  77                 "\xe2\x80\xa9", // U+2029 PARAGRAPH SEPARATOR
  78         );
  79
  80         /**
  81          * Escape sequences for characters listed in FormatJson::$badChars.
  82          */
  83         private static $badCharsEscaped = array(
  84                 '\u2028', // U+2028 LINE SEPARATOR
  85                 '\u2029', // U+2029 PARAGRAPH SEPARATOR
  86         );
  87
  88         /**
  89          * Returns the JSON representation of a value.
  90          *
  91          * @note Empty arrays are encoded as numeric arrays, not as objects, so cast any associative
  92          *       array that might be empty to an object before encoding it.
  93          *
  94          * @note In pre-1.22 versions of MediaWiki, using this function for generating inline script
  95          *       blocks may result in an XSS vulnerability, and quite likely will in XML documents
  96          *       (cf. FormatJson::XMLMETA_OK). Use Xml::encodeJsVar() instead in such cases.
  97          *
  98          * @param mixed $value The value to encode. Can be any type except a resource.
  99          * @param bool $pretty If true, add non-significant whitespace to improve readability.
 100          * @param int $escaping Bitfield consisting of _OK class constants
 101          * @return string|bool: String if successful; false upon failure
 102          */
 103         public static function encode( $value, $pretty = false, $escaping = 0 ) {
 104                 if ( defined( 'JSON_UNESCAPED_UNICODE' ) ) {
 105                         return self::encode54( $value, $pretty, $escaping );
 106                 }
 107                 return self::encode53( $value, $pretty, $escaping );
 108         }
 109
 110         /**
 111          * Decodes a JSON string.
 112          *
 113          * @param string $value The JSON string being decoded
 114          * @param bool $assoc When true, returned objects will be converted into associative arrays.
 115          *
 116          * @return mixed: the value encoded in JSON in appropriate PHP type.
 117          * `null` is returned if the JSON cannot be decoded or if the encoded data is deeper than
 118          * the recursion limit.
 119          */
 120         public static function decode( $value, $assoc = false ) {
 121                 return json_decode( $value, $assoc );
 122         }
 123
 124         /**
 125          * JSON encoder wrapper for PHP >= 5.4, which supports useful encoding options.
 126          *
 127          * @param mixed $value
 128          * @param bool $pretty
 129          * @param int $escaping
 130          * @return string|bool
 131          */
 132         private static function encode54( $value, $pretty, $escaping ) {
 133                 // PHP escapes '/' to prevent breaking out of inline script blocks using '</script>',
 134                 // which is hardly useful when '<' and '>' are escaped (and inadequate), and such
 135                 // escaping negatively impacts the human readability of URLs and similar strings.
 136                 $options = JSON_UNESCAPED_SLASHES;
 137                 $options |= $pretty ? JSON_PRETTY_PRINT : 0;
 138                 $options |= ( $escaping & self::UTF8_OK ) ? JSON_UNESCAPED_UNICODE : 0;
 139                 $options |= ( $escaping & self::XMLMETA_OK ) ? 0 : ( JSON_HEX_TAG | JSON_HEX_AMP );
 140                 $json = json_encode( $value, $options );
 141                 if ( $json === false ) {
 142                         return false;
 143                 }
 144
 145                 if ( $pretty ) {
 146                         // Remove whitespace inside empty arrays/objects; different JSON encoders
 147                         // vary on this, and we want our output to be consistent across implementations.
 148                         $json = preg_replace( self::WS_CLEANUP_REGEX, '', $json );
 149                 }
 150                 if ( $escaping & self::UTF8_OK ) {
 151                         $json = str_replace( self::$badChars, self::$badCharsEscaped, $json );
 152                 }
 153                 return $json;
 154         }
 155
 156         /**
 157          * JSON encoder wrapper for PHP 5.3, which lacks native support for some encoding options.
 158          * Therefore, the missing options are implemented here purely in PHP code.
 159          *
 160          * @param mixed $value
 161          * @param bool $pretty
 162          * @param int $escaping
 163          * @return string|bool
 164          */
 165         private static function encode53( $value, $pretty, $escaping ) {
 166                 $options = ( $escaping & self::XMLMETA_OK ) ? 0 : ( JSON_HEX_TAG | JSON_HEX_AMP );
 167                 $json = json_encode( $value, $options );
 168                 if ( $json === false ) {
 169                         return false;
 170                 }
 171
 172                 // Emulate JSON_UNESCAPED_SLASHES. Because the JSON contains no unescaped slashes
 173                 // (only escaped slashes), a simple string replacement works fine.
 174                 $json = str_replace( '\/', '/', $json );
 175
 176                 if ( $escaping & self::UTF8_OK ) {
 177                         // JSON hex escape sequences follow the format \uDDDD, where DDDD is four hex digits
 178                         // indicating the equivalent UTF-16 code unit's value. To most efficiently unescape
 179                         // them, we exploit the JSON extension's built-in decoder.
 180                         // * We escape the input a second time, so any such sequence becomes \\uDDDD.
 181                         // * To avoid interpreting escape sequences that were in the original input,
 182                         //   each double-escaped backslash (\\\\) is replaced with \\\u005c.
 183                         // * We strip one of the backslashes from each of the escape sequences to unescape.
 184                         // * Then the JSON decoder can perform the actual unescaping.
 185                         $json = str_replace( "\\\\\\\\", "\\\\\\u005c", addcslashes( $json, '\"' ) );
 186                         $json = json_decode( preg_replace( "/\\\\\\\\u(?!00[0-7])/", "\\\\u", "\"$json\"" ) );
 187                         $json = str_replace( self::$badChars, self::$badCharsEscaped, $json );
 188                 }
 189
 190                 if ( $pretty ) {
 191                         return self::prettyPrint( $json );
 192                 }
 193                 return $json;
 194         }
 195
 196         /**
 197          * Adds non-significant whitespace to an existing JSON representation of an object.
 198          * Only needed for PHP < 5.4, which lacks the JSON_PRETTY_PRINT option.
 199          *
 200          * @param string $json
 201          * @return string
 202          */
 203         private static function prettyPrint( $json ) {
 204                 $buf = '';
 205                 $indent = 0;
 206                 $json = strtr( $json, array( '\\\\' => '\\\\', '\"' => "\x01" ) );
 207                 for ( $i = 0, $n = strlen( $json ); $i < $n; $i += $skip ) {
 208                         $skip = 1;
 209                         switch ( $json[$i] ) {
 210                                 case ':':
 211                                         $buf .= ': ';
 212                                         break;
 213                                 case '[':
 214                                 case '{':
 215                                         ++$indent;
 216                                         // falls through
 217                                 case ',':
 218                                         $buf .= $json[$i] . "\n" . str_repeat( '    ', $indent );
 219                                         break;
 220                                 case ']':
 221                                 case '}':
 222                                         $buf .= "\n" . str_repeat( '    ', --$indent ) . $json[$i];
 223                                         break;
 224                                 case '"':
 225                                         $skip = strcspn( $json, '"', $i + 1 ) + 2;
 226                                         $buf .= substr( $json, $i, $skip );
 227                                         break;
 228                                 default:
 229                                         $skip = strcspn( $json, ',]}"', $i + 1 ) + 1;
 230                                         $buf .= substr( $json, $i, $skip );
 231                         }
 232                 }
 233                 $buf = preg_replace( self::WS_CLEANUP_REGEX, '', $buf );
 234                 return str_replace( "\x01", '\"', $buf );
 235         }
 236 }