. class Misc { // Allowed JavaScript constructors protected static $objects = array ( 'HashOver', 'HashOverCountLink', 'HashOverLatest' ); // XSS-unsafe characters to search for protected static $searchXSS = array ( '&', '<', '>', '"', "'", '/', '\\' ); // XSS-safe replacement character entities protected static $replaceXSS = array ( '&', '<', '>', '"', ''', '/', '\' ); // Return JSON or JSONP function call public static function jsonData ($data, $self_error = false) { // Encode JSON data $json = json_encode ($data); // Return JSON as-is if the request isn't for JSONP if (!isset ($_GET['jsonp']) or !isset ($_GET['jsonp_object'])) { return $json; } // Otherwise, make JSONP callback index XSS safe $index = self::makeXSSsafe ($_GET['jsonp']); // Make JSONP object constructor name XSS safe $object = self::makeXSSsafe ($_GET['jsonp_object']); // Check if constructor is allowed, if not use default $allowed_object = in_array ($object, self::$objects, true); $object = $allowed_object ? $object : 'HashOver'; // Check if the JSONP index contains a numeric value if (is_numeric ($index) or $self_error === true) { // If so, cast index to positive integer $index = ($self_error === true) ? 0 : (int)(abs ($index)); // Construct JSONP function call $jsonp = sprintf ('%s.jsonp[%d] (%s);', $object, $index, $json); // And return the JSONP script return $jsonp; } // Otherwise, return an error return self::jsonData (array ( 'message' => 'JSONP index must have a numeric value.', 'type' => 'error' ), true); } // Makes a string XSS-safe by removing harmful characters public static function makeXSSsafe ($string) { return str_replace (self::$searchXSS, self::$replaceXSS, $string); } // Returns error in HTML paragraph public static function displayError ($error = 'Something went wrong!', $mode = 'php') { // Initial error message data $data = array (); // Make error message XSS safe $xss_safe = self::makeXSSsafe ($error); // Treat JSONP as JavaScript if ($mode === 'json' and isset ($_GET['jsonp'])) { $mode = 'javascript'; } // Decide how to display error switch ($mode) { // Minimal JavaScript to display error message on page case 'javascript': { $data[] = 'var hashover = document.getElementById (\'hashover\') || document.body;'; $data[] = 'var error = \'
HashOver: ' . $xss_safe . '
\';' . PHP_EOL; $data[] = 'hashover.innerHTML += error;'; break; } // RSS XML to indicate error case 'rss': { $data[] = ''; $data[] = 'HashOver: ' . $error . '
'; break; } } // Convert error message data to string $message = implode (PHP_EOL, $data); return $message; } // Returns error in HTML paragraph public static function displayException (\Exception $error, $mode = 'php') { return self::displayError ($error->getMessage (), $mode); } // Returns an array item or a given default value public static function getArrayItem (array $data, $key) { return !empty ($data[$key]) ? $data[$key] : false; } }