Add array_escape() function to escape all keys and values of an array or object

common/functions.php

@@ -96,6 +96,35 @@ function array_last_key(array $array)
 	return key($array);
 }
 
+/**
+ * Escape all keys and values in a multi-dimensional array.
+ * 
+ * @param array $array The array to escape
+ * @param bool $double_escape Set this to false to skip symbols that are already escaped (default: true)
+ * @return array
+ */
+function array_escape(array $array, $double_escape = true)
+{
+	$flags = ENT_QUOTES | ENT_SUBSTITUTE;
+	$result = array();
+	foreach ($array as $key => $value)
+	{
+		if (is_array($value))
+		{
+			$result[htmlspecialchars($key, $flags, 'UTF-8', $double_escape)] = array_escape($value, $double_escape, $flags);
+		}
+		elseif (is_object($value))
+		{
+			$result[htmlspecialchars($key, $flags, 'UTF-8', $double_escape)] = (object)array_escape(get_object_vars($value), $double_escape, $flags);
+		}
+		else
+		{
+			$result[htmlspecialchars($key, $flags, 'UTF-8', $double_escape)] = htmlspecialchars($value, $flags, 'UTF-8', $double_escape);
+		}
+	}
+	return $result;
+}
+
 /**
  * Flatten a multi-dimensional array into a one-dimensional array.
  * Based on util.php <https://github.com/brandonwamboldt/utilphp>
@@ -155,7 +184,7 @@ function clean_path($path)
  */
 function escape($str, $double_escape = true)
 {
-	$flags = defined('ENT_SUBSTITUTE') ? (ENT_QUOTES | ENT_SUBSTITUTE) : (ENT_QUOTES | ENT_IGNORE);
+	$flags = ENT_QUOTES | ENT_SUBSTITUTE;
 	return htmlspecialchars($str, $flags, 'UTF-8', $double_escape);
 }
 
@@ -178,8 +207,7 @@ function escape_css($str)
  */
 function escape_js($str)
 {
-	$flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT;
-	if (defined('JSON_UNESCAPED_UNICODE')) $flags = $flags | JSON_UNESCAPED_UNICODE;
+	$flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_UNESCAPED_UNICODE;
 	$str = json_encode((string)$str, $flags);
 	return substr($str, 1, strlen($str) - 2);
 }

tests/unit/functions/FunctionsTest.php

@@ -18,6 +18,14 @@ class FunctionsTest extends \Codeception\TestCase\Test
 		$this->assertEquals($flattened2, array_flatten($array, false));
 	}
 	
+	public function testArrayEscape()
+	{
+		$this->assertEquals(array('foo&lt;' => 'bar&gt;', 'baz&quot;baz' => array('fuzz&amp;amp;bazz' => '&lt;rhymix&gt;')), array_escape(array('foo<' => 'bar>', 'baz"baz' => array('fuzz&amp;bazz' => '<rhymix>'))));
+		$this->assertEquals(array('invalid' => 'unicode' . "\xEF\xBF\xBD", 'other' => array('key&amp;key')), array_escape(array('invalid' => 'unicode' . "\xE4\xA8", 'other' => array('key&amp;key')), false));
+		$this->assertEquals(array('object' => (object)array('foo&gt;' => 'bar&lt;', 'baz&quot;' => '&amp;amp;')), array_escape(array('object' => (object)array('foo>' => 'bar<', 'baz"' => '&amp;'))));
+		$this->assertEquals(array('object' => (object)array('foo&gt;' => array('bar&lt;' => array('&amp;')))), array_escape(array('object' => (object)array('foo>' => array('bar<' => array('&amp;')))), false));
+	}
+	
 	public function testClassBasename()
 	{
 		$this->assertEquals('FunctionsTest', class_basename($this));
@@ -28,6 +36,8 @@ class FunctionsTest extends \Codeception\TestCase\Test
 	{
 		$this->assertEquals('&lt;foo&gt;&amp;amp;&lt;/foo&gt;', escape('<foo>&amp;</foo>'));
 		$this->assertEquals('&lt;foo&gt;&amp;&lt;/foo&gt;', escape('<foo>&amp;</foo>', false));
+		$this->assertEquals('&lt;foo&gt;invalid'. "\xEF\xBF\xBD" . 'unicode&lt;/foo&gt;', escape('<foo>invalid' . "\xE4\xA8" . 'unicode</foo>'));
+		$this->assertEquals('&lt;foo&gt;invalid'. "\xEF\xBF\xBD" . 'unicode&lt;/foo&gt;', escape('<foo>invalid' . "\xE4\xA8" . 'unicode&lt;/foo&gt;', false));
 		
 		$this->assertEquals('expressionalertXSS', escape_css('expression:alert("XSS")'));
 		$this->assertEquals('#123456', escape_css('#123456'));