File: escape/js/escape.js
/**
Provides utility methods for escaping strings.
@module escape
@class Escape
@static
@since 3.3.0
**/
var HTML_CHARS = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/',
'`': '`'
},
Escape = {
// -- Public Static Methods ------------------------------------------------
/**
Returns a copy of the specified string with special HTML characters
escaped. The following characters will be converted to their
corresponding character entities:
& < > " ' / `
This implementation is based on the [OWASP HTML escaping
recommendations][1]. In addition to the characters in the OWASP
recommendations, we also escape the <code>`</code> character, since IE
interprets it as an attribute delimiter.
If _string_ is not already a string, it will be coerced to a string.
[1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
@method html
@param {String} string String to escape.
@return {String} Escaped string.
@static
**/
html: function (string) {
return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
},
/**
Returns a copy of the specified string with special regular expression
characters escaped, allowing the string to be used safely inside a regex.
The following characters, and all whitespace characters, are escaped:
- $ ^ * ( ) + [ ] { } | \ , . ?
If _string_ is not already a string, it will be coerced to a string.
@method regex
@param {String} string String to escape.
@return {String} Escaped string.
@static
**/
regex: function (string) {
// There's no need to escape !, =, and : since they only have meaning
// when they follow a parenthesized ?, as in (?:...), and we already
// escape parens and question marks.
return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
},
// -- Protected Static Methods ---------------------------------------------
/**
* Regex replacer for HTML escaping.
*
* @method _htmlReplacer
* @param {String} match Matched character (must exist in HTML_CHARS).
* @returns {String} HTML entity.
* @static
* @protected
*/
_htmlReplacer: function (match) {
return HTML_CHARS[match];
}
};
Escape.regexp = Escape.regex;
Y.Escape = Escape;