1 YUI.add('escape', function (Y, NAME) {

     2 

     3 /**

     4 Provides utility methods for escaping strings.

     5 

     6 @module escape

     7 @class Escape

     8 @static

     9 @since 3.3.0

    10 **/

    11 

    12 var HTML_CHARS = {

    13         '&': '&',

    14         '<': '&lt;',

    15         '>': '>',

    16         '"': '"',

    17         "'": ''',

    18         '/': '/',

    19         '`': '`'

    20     },

    21 

    22 Escape = {

    23     // -- Public Static Methods ------------------------------------------------

    24 

    25     /**

    26     Returns a copy of the specified string with special HTML characters

    27     escaped. The following characters will be converted to their

    28     corresponding character entities:

    29 

    30         & < > " ' / `

    31 

    32     This implementation is based on the [OWASP HTML escaping

    33     recommendations][1]. In addition to the characters in the OWASP

    34     recommendations, we also escape the <code>&#x60;</code> character, since IE

    35     interprets it as an attribute delimiter.

    36 

    37     If _string_ is not already a string, it will be coerced to a string.

    38 

    39     [1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    40 

    41     @method html

    42     @param {String} string String to escape.

    43     @return {String} Escaped string.

    44     @static

    45     **/

    46     html: function (string) {

    47         return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);

    48     },

    49 

    50     /**

    51     Returns a copy of the specified string with special regular expression

    52     characters escaped, allowing the string to be used safely inside a regex.

    53     The following characters, and all whitespace characters, are escaped:

    54 

    55         - $ ^ * ( ) + [ ] { } | \ , . ?

    56 

    57     If _string_ is not already a string, it will be coerced to a string.

    58 

    59     @method regex

    60     @param {String} string String to escape.

    61     @return {String} Escaped string.

    62     @static

    63     **/

    64     regex: function (string) {

    65         // There's no need to escape !, =, and : since they only have meaning

    66         // when they follow a parenthesized ?, as in (?:...), and we already

    67         // escape parens and question marks.

    68         return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');

    69     },

    70 

    71     // -- Protected Static Methods ---------------------------------------------

    72 

    73     /**

    74      * Regex replacer for HTML escaping.

    75      *

    76      * @method _htmlReplacer

    77      * @param {String} match Matched character (must exist in HTML_CHARS).

    78      * @return {String} HTML entity.

    79      * @static

    80      * @protected

    81      */

    82     _htmlReplacer: function (match) {

    83         return HTML_CHARS[match];

    84     }

    85 };

    86 

    87 Escape.regexp = Escape.regex;

    88 

    89 Y.Escape = Escape;

    90 

    91 

    92 }, '@VERSION@', {"requires": ["yui-base"]});