/* YUI 3.17.2 (build 9c3c78e) Copyright 2014 Yahoo! Inc. All rights reserved. Licensed under the BSD License. http://yuilibrary.com/license/ */ YUI.add('escape', function (Y, NAME) { /** Provides utility methods for escaping strings. @module escape @class Escape @static @since 3.3.0 **/ var HTML_CHARS = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''', '/': '/', '`': '`' }, Escape = { // -- Public Static Methods ------------------------------------------------ /** Returns a copy of the specified string with special HTML characters escaped. The following characters will be converted to their corresponding character entities: & < > " ' / ` This implementation is based on the [OWASP HTML escaping recommendations][1]. In addition to the characters in the OWASP recommendations, we also escape the ` character, since IE interprets it as an attribute delimiter. If _string_ is not already a string, it will be coerced to a string. [1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet @method html @param {String} string String to escape. @return {String} Escaped string. @static **/ html: function (string) { return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer); }, /** Returns a copy of the specified string with special regular expression characters escaped, allowing the string to be used safely inside a regex. The following characters, and all whitespace characters, are escaped: - $ ^ * ( ) + [ ] { } | \ , . ? If _string_ is not already a string, it will be coerced to a string. @method regex @param {String} string String to escape. @return {String} Escaped string. @static **/ regex: function (string) { // There's no need to escape !, =, and : since they only have meaning // when they follow a parenthesized ?, as in (?:...), and we already // escape parens and question marks. return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&'); }, // -- Protected Static Methods --------------------------------------------- /** * Regex replacer for HTML escaping. * * @method _htmlReplacer * @param {String} match Matched character (must exist in HTML_CHARS). * @return {String} HTML entity. * @static * @protected */ _htmlReplacer: function (match) { return HTML_CHARS[match]; } }; Escape.regexp = Escape.regex; Y.Escape = Escape; }, '3.17.2', {"requires": ["yui-base"]});