File: escape/js/escape.js
- /**
- Provides utility methods for escaping strings.
-
- @module escape
- @class Escape
- @static
- @since 3.3.0
- **/
-
- var HTML_CHARS = {
- '&': '&',
- '<': '<',
- '>': '>',
- '"': '"',
- "'": ''',
- '/': '/',
- '`': '`'
- },
-
- Escape = {
- // -- Public Static Methods ------------------------------------------------
-
- /**
- Returns a copy of the specified string with special HTML characters
- escaped. The following characters will be converted to their
- corresponding character entities:
-
- & < > " ' / `
-
- This implementation is based on the [OWASP HTML escaping
- recommendations][1]. In addition to the characters in the OWASP
- recommendations, we also escape the <code>`</code> character, since IE
- interprets it as an attribute delimiter.
-
- If _string_ is not already a string, it will be coerced to a string.
-
- [1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
-
- @method html
- @param {String} string String to escape.
- @return {String} Escaped string.
- @static
- **/
- html: function (string) {
- return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
- },
-
- /**
- Returns a copy of the specified string with special regular expression
- characters escaped, allowing the string to be used safely inside a regex.
- The following characters, and all whitespace characters, are escaped:
-
- - $ ^ * ( ) + [ ] { } | \ , . ?
-
- If _string_ is not already a string, it will be coerced to a string.
-
- @method regex
- @param {String} string String to escape.
- @return {String} Escaped string.
- @static
- **/
- regex: function (string) {
- // There's no need to escape !, =, and : since they only have meaning
- // when they follow a parenthesized ?, as in (?:...), and we already
- // escape parens and question marks.
- return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
- },
-
- // -- Protected Static Methods ---------------------------------------------
-
- /**
- * Regex replacer for HTML escaping.
- *
- * @method _htmlReplacer
- * @param {String} match Matched character (must exist in HTML_CHARS).
- * @return {String} HTML entity.
- * @static
- * @protected
- */
- _htmlReplacer: function (match) {
- return HTML_CHARS[match];
- }
- };
-
- Escape.regexp = Escape.regex;
-
- Y.Escape = Escape;
-
-