|
1 /* |
|
2 YUI 3.10.3 (build 2fb5187) |
|
3 Copyright 2013 Yahoo! Inc. All rights reserved. |
|
4 Licensed under the BSD License. |
|
5 http://yuilibrary.com/license/ |
|
6 */ |
|
7 |
|
8 YUI.add('escape', function (Y, NAME) { |
|
9 |
|
10 /** |
|
11 Provides utility methods for escaping strings. |
|
12 |
|
13 @module escape |
|
14 @class Escape |
|
15 @static |
|
16 @since 3.3.0 |
|
17 **/ |
|
18 |
|
19 var HTML_CHARS = { |
|
20 '&': '&', |
|
21 '<': '<', |
|
22 '>': '>', |
|
23 '"': '"', |
|
24 "'": ''', |
|
25 '/': '/', |
|
26 '`': '`' |
|
27 }, |
|
28 |
|
29 Escape = { |
|
30 // -- Public Static Methods ------------------------------------------------ |
|
31 |
|
32 /** |
|
33 Returns a copy of the specified string with special HTML characters |
|
34 escaped. The following characters will be converted to their |
|
35 corresponding character entities: |
|
36 |
|
37 & < > " ' / ` |
|
38 |
|
39 This implementation is based on the [OWASP HTML escaping |
|
40 recommendations][1]. In addition to the characters in the OWASP |
|
41 recommendations, we also escape the <code>`</code> character, since IE |
|
42 interprets it as an attribute delimiter. |
|
43 |
|
44 If _string_ is not already a string, it will be coerced to a string. |
|
45 |
|
46 [1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet |
|
47 |
|
48 @method html |
|
49 @param {String} string String to escape. |
|
50 @return {String} Escaped string. |
|
51 @static |
|
52 **/ |
|
53 html: function (string) { |
|
54 return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer); |
|
55 }, |
|
56 |
|
57 /** |
|
58 Returns a copy of the specified string with special regular expression |
|
59 characters escaped, allowing the string to be used safely inside a regex. |
|
60 The following characters, and all whitespace characters, are escaped: |
|
61 |
|
62 - $ ^ * ( ) + [ ] { } | \ , . ? |
|
63 |
|
64 If _string_ is not already a string, it will be coerced to a string. |
|
65 |
|
66 @method regex |
|
67 @param {String} string String to escape. |
|
68 @return {String} Escaped string. |
|
69 @static |
|
70 **/ |
|
71 regex: function (string) { |
|
72 // There's no need to escape !, =, and : since they only have meaning |
|
73 // when they follow a parenthesized ?, as in (?:...), and we already |
|
74 // escape parens and question marks. |
|
75 return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&'); |
|
76 }, |
|
77 |
|
78 // -- Protected Static Methods --------------------------------------------- |
|
79 |
|
80 /** |
|
81 * Regex replacer for HTML escaping. |
|
82 * |
|
83 * @method _htmlReplacer |
|
84 * @param {String} match Matched character (must exist in HTML_CHARS). |
|
85 * @return {String} HTML entity. |
|
86 * @static |
|
87 * @protected |
|
88 */ |
|
89 _htmlReplacer: function (match) { |
|
90 return HTML_CHARS[match]; |
|
91 } |
|
92 }; |
|
93 |
|
94 Escape.regexp = Escape.regex; |
|
95 |
|
96 Y.Escape = Escape; |
|
97 |
|
98 |
|
99 }, '3.10.3', {"requires": ["yui-base"]}); |