You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
99 lines
2.6 KiB
99 lines
2.6 KiB
/*
|
|
YUI 3.17.2 (build 9c3c78e)
|
|
Copyright 2014 Yahoo! Inc. All rights reserved.
|
|
Licensed under the BSD License.
|
|
http://yuilibrary.com/license/
|
|
*/
|
|
|
|
YUI.add('escape', function (Y, NAME) {
|
|
|
|
/**
|
|
Provides utility methods for escaping strings.
|
|
|
|
@module escape
|
|
@class Escape
|
|
@static
|
|
@since 3.3.0
|
|
**/
|
|
|
|
var HTML_CHARS = {
|
|
'&': '&',
|
|
'<': '<',
|
|
'>': '>',
|
|
'"': '"',
|
|
"'": ''',
|
|
'/': '/',
|
|
'`': '`'
|
|
},
|
|
|
|
Escape = {
|
|
// -- Public Static Methods ------------------------------------------------
|
|
|
|
/**
|
|
Returns a copy of the specified string with special HTML characters
|
|
escaped. The following characters will be converted to their
|
|
corresponding character entities:
|
|
|
|
& < > " ' / `
|
|
|
|
This implementation is based on the [OWASP HTML escaping
|
|
recommendations][1]. In addition to the characters in the OWASP
|
|
recommendations, we also escape the <code>`</code> character, since IE
|
|
interprets it as an attribute delimiter.
|
|
|
|
If _string_ is not already a string, it will be coerced to a string.
|
|
|
|
[1]: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
|
|
|
@method html
|
|
@param {String} string String to escape.
|
|
@return {String} Escaped string.
|
|
@static
|
|
**/
|
|
html: function (string) {
|
|
return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
|
|
},
|
|
|
|
/**
|
|
Returns a copy of the specified string with special regular expression
|
|
characters escaped, allowing the string to be used safely inside a regex.
|
|
The following characters, and all whitespace characters, are escaped:
|
|
|
|
- $ ^ * ( ) + [ ] { } | \ , . ?
|
|
|
|
If _string_ is not already a string, it will be coerced to a string.
|
|
|
|
@method regex
|
|
@param {String} string String to escape.
|
|
@return {String} Escaped string.
|
|
@static
|
|
**/
|
|
regex: function (string) {
|
|
// There's no need to escape !, =, and : since they only have meaning
|
|
// when they follow a parenthesized ?, as in (?:...), and we already
|
|
// escape parens and question marks.
|
|
return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
|
|
},
|
|
|
|
// -- Protected Static Methods ---------------------------------------------
|
|
|
|
/**
|
|
* Regex replacer for HTML escaping.
|
|
*
|
|
* @method _htmlReplacer
|
|
* @param {String} match Matched character (must exist in HTML_CHARS).
|
|
* @return {String} HTML entity.
|
|
* @static
|
|
* @protected
|
|
*/
|
|
_htmlReplacer: function (match) {
|
|
return HTML_CHARS[match];
|
|
}
|
|
};
|
|
|
|
Escape.regexp = Escape.regex;
|
|
|
|
Y.Escape = Escape;
|
|
|
|
|
|
}, '3.17.2', {"requires": ["yui-base"]});
|
|
|