|
602
|
1 |
YUI.add('escape', function (Y, NAME) { |
|
|
2 |
|
|
|
3 |
/** |
|
|
4 |
Provides utility methods for escaping strings. |
|
|
5 |
|
|
|
6 |
@module escape |
|
|
7 |
@class Escape |
|
|
8 |
@static |
|
|
9 |
@since 3.3.0 |
|
|
10 |
**/ |
|
|
11 |
|
|
|
12 |
var HTML_CHARS = { |
|
|
13 |
'&': '&', |
|
|
14 |
'<': '<', |
|
|
15 |
'>': '>', |
|
|
16 |
'"': '"', |
|
|
17 |
"'": ''', |
|
|
18 |
'/': '/', |
|
|
19 |
'`': '`' |
|
|
20 |
}, |
|
|
21 |
|
|
|
22 |
Escape = { |
|
|
23 |
// -- Public Static Methods ------------------------------------------------ |
|
|
24 |
|
|
|
25 |
/** |
|
|
26 |
Returns a copy of the specified string with special HTML characters |
|
|
27 |
escaped. The following characters will be converted to their |
|
|
28 |
corresponding character entities: |
|
|
29 |
|
|
|
30 |
& < > " ' / ` |
|
|
31 |
|
|
|
32 |
This implementation is based on the [OWASP HTML escaping |
|
|
33 |
recommendations][1]. In addition to the characters in the OWASP |
|
|
34 |
recommendations, we also escape the <code>`</code> character, since IE |
|
|
35 |
interprets it as an attribute delimiter. |
|
|
36 |
|
|
|
37 |
If _string_ is not already a string, it will be coerced to a string. |
|
|
38 |
|
|
|
39 |
[1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet |
|
|
40 |
|
|
|
41 |
@method html |
|
|
42 |
@param {String} string String to escape. |
|
|
43 |
@return {String} Escaped string. |
|
|
44 |
@static |
|
|
45 |
**/ |
|
|
46 |
html: function (string) { |
|
|
47 |
return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer); |
|
|
48 |
}, |
|
|
49 |
|
|
|
50 |
/** |
|
|
51 |
Returns a copy of the specified string with special regular expression |
|
|
52 |
characters escaped, allowing the string to be used safely inside a regex. |
|
|
53 |
The following characters, and all whitespace characters, are escaped: |
|
|
54 |
|
|
|
55 |
- $ ^ * ( ) + [ ] { } | \ , . ? |
|
|
56 |
|
|
|
57 |
If _string_ is not already a string, it will be coerced to a string. |
|
|
58 |
|
|
|
59 |
@method regex |
|
|
60 |
@param {String} string String to escape. |
|
|
61 |
@return {String} Escaped string. |
|
|
62 |
@static |
|
|
63 |
**/ |
|
|
64 |
regex: function (string) { |
|
|
65 |
// There's no need to escape !, =, and : since they only have meaning |
|
|
66 |
// when they follow a parenthesized ?, as in (?:...), and we already |
|
|
67 |
// escape parens and question marks. |
|
|
68 |
return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&'); |
|
|
69 |
}, |
|
|
70 |
|
|
|
71 |
// -- Protected Static Methods --------------------------------------------- |
|
|
72 |
|
|
|
73 |
/** |
|
|
74 |
* Regex replacer for HTML escaping. |
|
|
75 |
* |
|
|
76 |
* @method _htmlReplacer |
|
|
77 |
* @param {String} match Matched character (must exist in HTML_CHARS). |
|
|
78 |
* @return {String} HTML entity. |
|
|
79 |
* @static |
|
|
80 |
* @protected |
|
|
81 |
*/ |
|
|
82 |
_htmlReplacer: function (match) { |
|
|
83 |
return HTML_CHARS[match]; |
|
|
84 |
} |
|
|
85 |
}; |
|
|
86 |
|
|
|
87 |
Escape.regexp = Escape.regex; |
|
|
88 |
|
|
|
89 |
Y.Escape = Escape; |
|
|
90 |
|
|
|
91 |
|
|
|
92 |
}, '@VERSION@', {"requires": ["yui-base"]}); |