library/htmlspecialchars.inc.php

   1 <?php
   2 /**
   3  * Escaping Functions
   4  *
   5  * @package   OpenEMR
   6  * @link      https://www.open-emr.org
   7  * @author    Boyd Stephen Smith Jr.
   8  * @author    Brady Miller <brady.g.miller@gmail.com>
   9  * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
  10  * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
  11  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  12  */
  13
  14 /**
  15  * Escape a javascript literal.
  16  */
  17 function js_escape($text)
  18 {
  19     return json_encode($text);
  20 }
  21
  22 /**
  23  * Escape a javascript literal within html onclick attribute.
  24  */
  25 function attr_js($text)
  26 {
  27     return attr(json_encode($text));
  28 }
  29
  30 /**
  31  * Escape html and url encode a url item.
  32  */
  33 function attr_url($text)
  34 {
  35     return attr(urlencode($text));
  36 }
  37
  38 /**
  39  * Escape js and url encode a url item.
  40  */
  41 function js_url($text)
  42 {
  43     return js_escape(urlencode($text));
  44 }
  45
  46 /**
  47  * Escape variables that are outputted into the php error log.
  48  */
  49 function errorLogEscape($text)
  50 {
  51     return attr($text);
  52 }
  53
  54 /**
  55  * Escape a PHP string for use as (part of) an HTML / XML text node.
  56  *
  57  * It only escapes a few special chars: the ampersand (&) and both the left-
  58  * pointing angle bracket (<) and the right-pointing angle bracket (>), since
  59  * these are the only characters that are special in a text node.  Minimal
  60  * quoting is preferred because it produces smaller and more easily human-
  61  * readable output.
  62  *
  63  * Some characters simply cannot appear in valid XML documents, even
  64  * as entities but, this function does not attempt to handle them.
  65  *
  66  * NOTE: Attribute values are NOT text nodes, and require additional escaping.
  67  *
  68  * @param string $text The string to escape, possibly including "&", "<",
  69  *                     or ">".
  70  * @return string The string, with "&", "<", and ">" escaped.
  71  */
  72 function text($text)
  73 {
  74     return htmlspecialchars($text, ENT_NOQUOTES);
  75 }
  76
  77 /**
  78  * Escape a PHP string for use as (part of) an HTML / XML attribute value.
  79  *
  80  * It escapes several special chars: the ampersand (&), the double quote
  81  * ("), the singlequote ('), and both the left-pointing angle bracket (<)
  82  * and the right-pointing angle bracket (>), since these are the characters
  83  * that are special in an attribute value.
  84  *
  85  * Some characters simply cannot appear in valid XML documents, even
  86  * as entities but, this function does not attempt to handle them.
  87  *
  88  * NOTE: This can be used as a "generic" HTML escape since it does maximal
  89  * quoting.  However, some HTML and XML contexts (CDATA) don't provide
  90  * escape mechanisms.  Also, further pre- or post-escaping might need to
  91  * be done when embdedded other languages (like JavaScript) inside HTML /
  92  * XML documents.
  93  *
  94  * @param string $text The string to escape, possibly including (&), (<),
  95  *                     (>), ('), and (").
  96  * @return string The string, with (&), (<), (>), ("), and (') escaped.
  97  */
  98 function attr($text)
  99 {
 100     return htmlspecialchars($text, ENT_QUOTES);
 101 }
 102
 103 /**
 104  * This function is a compatibility replacement for the out function removed
 105  *  from the CDR Admin framework.
 106  *
 107  * @param string $text The string to escape, possibly including (&), (<),
 108  *                     (>), ('), and (").
 109  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 110  */
 111 function out($text)
 112 {
 113     return attr($text);
 114 }
 115
 116 /**
 117  * Don't call this function.  You don't see this function.  This function
 118  * doesn't exist.
 119  *
 120  * TODO: Hide this function so it can be called from this file but not from
 121  * PHP that includes / requires this file.  Either that, or write reasonable
 122  * documentation and clean up the name.
 123  */
 124 function hsc_private_xl_or_warn($key)
 125 {
 126     if (function_exists('xl')) {
 127         return xl($key);
 128     } else {
 129         trigger_error(
 130             'Translation via xl() was requested, but the xl()'
 131             . ' function is not defined, yet.',
 132             E_USER_WARNING
 133         );
 134         return $key;
 135     }
 136 }
 137
 138 /**
 139  * Translate via xl() and then escape via text().
 140  *
 141  * @param string $key The string to escape, possibly including "&", "<",
 142  *                    or ">".
 143  * @return string The string, with "&", "<", and ">" escaped.
 144  */
 145 function xlt($key)
 146 {
 147     return text(hsc_private_xl_or_warn($key));
 148 }
 149
 150 /**
 151  * Translate via xl() and then escape via attr().
 152  *
 153  * @param string $key The string to escape, possibly including (&), (<),
 154  *                    (>), ('), and (").
 155  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 156  */
 157 function xla($key)
 158 {
 159     return attr(hsc_private_xl_or_warn($key));
 160 }
 161
 162 /*
 163  * Translate via xl() and then escape via js_escape for use with javascript literals
 164  */
 165 function xlj($key)
 166 {
 167     return js_escape(hsc_private_xl_or_warn($key));
 168 }
 169
 170 /*
 171  * Deprecated
 172  *Translate via xl() and then escape via addslashes for use with javascript literals
 173  */
 174 function xls($key)
 175 {
 176     return addslashes(hsc_private_xl_or_warn($key));
 177 }