Version 3.18.1
Show:

File: escape/js/escape.js

            /**
            Provides utility methods for escaping strings.
            
            @module escape
            @class Escape
            @static
            @since 3.3.0
            **/
            
            var HTML_CHARS = {
                    '&': '&',
                    '<': '&lt;',
                    '>': '&gt;',
                    '"': '&quot;',
                    "'": '&#x27;',
                    '/': '&#x2F;',
                    '`': '&#x60;'
                },
            
            Escape = {
                // -- Public Static Methods ------------------------------------------------
            
                /**
                Returns a copy of the specified string with special HTML characters
                escaped. The following characters will be converted to their
                corresponding character entities:
            
                    & < > " ' / `
            
                This implementation is based on the [OWASP HTML escaping
                recommendations][1]. In addition to the characters in the OWASP
                recommendations, we also escape the <code>&#x60;</code> character, since IE
                interprets it as an attribute delimiter.
            
                If _string_ is not already a string, it will be coerced to a string.
            
                [1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
            
                @method html
                @param {String} string String to escape.
                @return {String} Escaped string.
                @static
                **/
                html: function (string) {
                    return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
                },
            
                /**
                Returns a copy of the specified string with special regular expression
                characters escaped, allowing the string to be used safely inside a regex.
                The following characters, and all whitespace characters, are escaped:
            
                    - $ ^ * ( ) + [ ] { } | \ , . ?
            
                If _string_ is not already a string, it will be coerced to a string.
            
                @method regex
                @param {String} string String to escape.
                @return {String} Escaped string.
                @static
                **/
                regex: function (string) {
                    // There's no need to escape !, =, and : since they only have meaning
                    // when they follow a parenthesized ?, as in (?:...), and we already
                    // escape parens and question marks.
                    return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
                },
            
                // -- Protected Static Methods ---------------------------------------------
            
                /**
                 * Regex replacer for HTML escaping.
                 *
                 * @method _htmlReplacer
                 * @param {String} match Matched character (must exist in HTML_CHARS).
                 * @return {String} HTML entity.
                 * @static
                 * @protected
                 */
                _htmlReplacer: function (match) {
                    return HTML_CHARS[match];
                }
            };
            
            Escape.regexp = Escape.regex;
            
            Y.Escape = Escape;