| 1 |
efrain |
1 |
YUI.add('escape', function (Y, NAME) {
|
|
|
2 |
|
|
|
3 |
/**
|
|
|
4 |
Provides utility methods for escaping strings.
|
|
|
5 |
|
|
|
6 |
@module escape
|
|
|
7 |
@class Escape
|
|
|
8 |
@static
|
|
|
9 |
@since 3.3.0
|
|
|
10 |
**/
|
|
|
11 |
|
|
|
12 |
var HTML_CHARS = {
|
|
|
13 |
'&': '&',
|
|
|
14 |
'<': '<',
|
|
|
15 |
'>': '>',
|
|
|
16 |
'"': '"',
|
|
|
17 |
"'": ''',
|
|
|
18 |
'/': '/',
|
|
|
19 |
'`': '`'
|
|
|
20 |
},
|
|
|
21 |
|
|
|
22 |
Escape = {
|
|
|
23 |
// -- Public Static Methods ------------------------------------------------
|
|
|
24 |
|
|
|
25 |
/**
|
|
|
26 |
Returns a copy of the specified string with special HTML characters
|
|
|
27 |
escaped. The following characters will be converted to their
|
|
|
28 |
corresponding character entities:
|
|
|
29 |
|
|
|
30 |
& < > " ' / `
|
|
|
31 |
|
|
|
32 |
This implementation is based on the [OWASP HTML escaping
|
|
|
33 |
recommendations][1]. In addition to the characters in the OWASP
|
|
|
34 |
recommendations, we also escape the <code>`</code> character, since IE
|
|
|
35 |
interprets it as an attribute delimiter.
|
|
|
36 |
|
|
|
37 |
If _string_ is not already a string, it will be coerced to a string.
|
|
|
38 |
|
|
|
39 |
[1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
|
|
40 |
|
|
|
41 |
@method html
|
|
|
42 |
@param {String} string String to escape.
|
|
|
43 |
@return {String} Escaped string.
|
|
|
44 |
@static
|
|
|
45 |
**/
|
|
|
46 |
html: function (string) {
|
|
|
47 |
return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
|
|
|
48 |
},
|
|
|
49 |
|
|
|
50 |
/**
|
|
|
51 |
Returns a copy of the specified string with special regular expression
|
|
|
52 |
characters escaped, allowing the string to be used safely inside a regex.
|
|
|
53 |
The following characters, and all whitespace characters, are escaped:
|
|
|
54 |
|
|
|
55 |
- $ ^ * ( ) + [ ] { } | \ , . ?
|
|
|
56 |
|
|
|
57 |
If _string_ is not already a string, it will be coerced to a string.
|
|
|
58 |
|
|
|
59 |
@method regex
|
|
|
60 |
@param {String} string String to escape.
|
|
|
61 |
@return {String} Escaped string.
|
|
|
62 |
@static
|
|
|
63 |
**/
|
|
|
64 |
regex: function (string) {
|
|
|
65 |
// There's no need to escape !, =, and : since they only have meaning
|
|
|
66 |
// when they follow a parenthesized ?, as in (?:...), and we already
|
|
|
67 |
// escape parens and question marks.
|
|
|
68 |
return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
|
|
|
69 |
},
|
|
|
70 |
|
|
|
71 |
// -- Protected Static Methods ---------------------------------------------
|
|
|
72 |
|
|
|
73 |
/**
|
|
|
74 |
* Regex replacer for HTML escaping.
|
|
|
75 |
*
|
|
|
76 |
* @method _htmlReplacer
|
|
|
77 |
* @param {String} match Matched character (must exist in HTML_CHARS).
|
|
|
78 |
* @return {String} HTML entity.
|
|
|
79 |
* @static
|
|
|
80 |
* @protected
|
|
|
81 |
*/
|
|
|
82 |
_htmlReplacer: function (match) {
|
|
|
83 |
return HTML_CHARS[match];
|
|
|
84 |
}
|
|
|
85 |
};
|
|
|
86 |
|
|
|
87 |
Escape.regexp = Escape.regex;
|
|
|
88 |
|
|
|
89 |
Y.Escape = Escape;
|
|
|
90 |
|
|
|
91 |
|
|
|
92 |
}, '3.18.1', {"requires": ["yui-base"]});
|