[Summary view] [Print] [Text view]

   1  /*
   2  YUI 3.17.2 (build 9c3c78e)
   3  Copyright 2014 Yahoo! Inc. All rights reserved.
   4  Licensed under the BSD License.
   5  http://yuilibrary.com/license/
   6  */
   7  
   8  YUI.add('escape', function (Y, NAME) {
   9  
  10  /**
  11  Provides utility methods for escaping strings.
  12  
  13  @module escape
  14  @class Escape
  15  @static
  16  @since 3.3.0
  17  **/
  18  
  19  var HTML_CHARS = {
  20          '&': '&',
  21          '<': '&lt;',
  22          '>': '&gt;',
  23          '"': '&quot;',
  24          "'": '&#x27;',
  25          '/': '&#x2F;',
  26          '`': '&#x60;'
  27      },
  28  
  29  Escape = {
  30      // -- Public Static Methods ------------------------------------------------
  31  
  32      /**
  33      Returns a copy of the specified string with special HTML characters
  34      escaped. The following characters will be converted to their
  35      corresponding character entities:
  36  
  37          & < > " ' / `
  38  
  39      This implementation is based on the [OWASP HTML escaping
  40      recommendations][1]. In addition to the characters in the OWASP
  41      recommendations, we also escape the <code>&#x60;</code> character, since IE
  42      interprets it as an attribute delimiter.
  43  
  44      If _string_ is not already a string, it will be coerced to a string.
  45  
  46      [1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  47  
  48      @method html
  49      @param {String} string String to escape.
  50      @return {String} Escaped string.
  51      @static
  52      **/
  53      html: function (string) {
  54          return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
  55      },
  56  
  57      /**
  58      Returns a copy of the specified string with special regular expression
  59      characters escaped, allowing the string to be used safely inside a regex.
  60      The following characters, and all whitespace characters, are escaped:
  61  
  62          - $ ^ * ( ) + [ ] { } | \ , . ?
  63  
  64      If _string_ is not already a string, it will be coerced to a string.
  65  
  66      @method regex
  67      @param {String} string String to escape.
  68      @return {String} Escaped string.
  69      @static
  70      **/
  71      regex: function (string) {
  72          // There's no need to escape !, =, and : since they only have meaning
  73          // when they follow a parenthesized ?, as in (?:...), and we already
  74          // escape parens and question marks.
  75          return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
  76      },
  77  
  78      // -- Protected Static Methods ---------------------------------------------
  79  
  80      /**
  81       * Regex replacer for HTML escaping.
  82       *
  83       * @method _htmlReplacer
  84       * @param {String} match Matched character (must exist in HTML_CHARS).
  85       * @return {String} HTML entity.
  86       * @static
  87       * @protected
  88       */
  89      _htmlReplacer: function (match) {
  90          return HTML_CHARS[match];
  91      }
  92  };
  93  
  94  Escape.regexp = Escape.regex;
  95  
  96  Y.Escape = Escape;
  97  
  98  
  99  }, '3.17.2', {"requires": ["yui-base"]});