6 * @link https://www.open-emr.org
7 * @author Boyd Stephen Smith Jr.
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
10 * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
11 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
15 * Escape a javascript literal.
17 function js_escape($text)
19 return json_encode($text);
23 * Escape a javascript literal within html onclick attribute.
25 function attr_js($text)
27 return attr(json_encode($text));
31 * Escape html and url encode a url item.
33 function attr_url($text)
35 return attr(urlencode($text));
39 * Escape js and url encode a url item.
41 function js_url($text)
43 return js_escape(urlencode($text));
47 * Escape variables that are outputted into the php error log.
49 function errorLogEscape($text)
55 * Escape a PHP string for use as (part of) an HTML / XML text node.
57 * It only escapes a few special chars: the ampersand (&) and both the left-
58 * pointing angle bracket (<) and the right-pointing angle bracket (>), since
59 * these are the only characters that are special in a text node. Minimal
60 * quoting is preferred because it produces smaller and more easily human-
63 * Some characters simply cannot appear in valid XML documents, even
64 * as entities but, this function does not attempt to handle them.
66 * NOTE: Attribute values are NOT text nodes, and require additional escaping.
68 * @param string $text The string to escape, possibly including "&", "<",
70 * @return string The string, with "&", "<", and ">" escaped.
74 return htmlspecialchars($text, ENT_NOQUOTES
);
78 * Escape a PHP string for use as (part of) an HTML / XML attribute value.
80 * It escapes several special chars: the ampersand (&), the double quote
81 * ("), the singlequote ('), and both the left-pointing angle bracket (<)
82 * and the right-pointing angle bracket (>), since these are the characters
83 * that are special in an attribute value.
85 * Some characters simply cannot appear in valid XML documents, even
86 * as entities but, this function does not attempt to handle them.
88 * NOTE: This can be used as a "generic" HTML escape since it does maximal
89 * quoting. However, some HTML and XML contexts (CDATA) don't provide
90 * escape mechanisms. Also, further pre- or post-escaping might need to
91 * be done when embdedded other languages (like JavaScript) inside HTML /
94 * @param string $text The string to escape, possibly including (&), (<),
96 * @return string The string, with (&), (<), (>), ("), and (') escaped.
100 return htmlspecialchars($text, ENT_QUOTES
);
104 * This function is a compatibility replacement for the out function removed
105 * from the CDR Admin framework.
107 * @param string $text The string to escape, possibly including (&), (<),
109 * @return string The string, with (&), (<), (>), ("), and (') escaped.
117 * Don't call this function. You don't see this function. This function
120 * TODO: Hide this function so it can be called from this file but not from
121 * PHP that includes / requires this file. Either that, or write reasonable
122 * documentation and clean up the name.
124 function hsc_private_xl_or_warn($key)
126 if (function_exists('xl')) {
130 'Translation via xl() was requested, but the xl()'
131 . ' function is not defined, yet.',
139 * Translate via xl() and then escape via text().
141 * @param string $key The string to escape, possibly including "&", "<",
143 * @return string The string, with "&", "<", and ">" escaped.
147 return text(hsc_private_xl_or_warn($key));
151 * Translate via xl() and then escape via attr().
153 * @param string $key The string to escape, possibly including (&), (<),
155 * @return string The string, with (&), (<), (>), ("), and (') escaped.
159 return attr(hsc_private_xl_or_warn($key));
163 * Translate via xl() and then escape via js_escape for use with javascript literals
167 return js_escape(hsc_private_xl_or_warn($key));
172 *Translate via xl() and then escape via addslashes for use with javascript literals
176 return addslashes(hsc_private_xl_or_warn($key));