7 * @link https://www.open-emr.org
8 * @author Boyd Stephen Smith Jr.
9 * @author Brady Miller <brady.g.miller@gmail.com>
10 * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
11 * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
12 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
16 * Escape a javascript literal.
18 function js_escape($text)
20 return json_encode($text);
24 * Escape a javascript literal within html onclick attribute.
26 function attr_js($text)
28 return attr(json_encode($text));
32 * Escape html and url encode a url item.
34 function attr_url($text)
36 return attr(urlencode($text));
40 * Escape js and url encode a url item.
42 function js_url($text)
44 return js_escape(urlencode($text));
48 * Escape variables that are outputted into the php error log.
50 function errorLogEscape($text)
56 * Escape variables that are outputted into csv and spreadsheet files.
57 * See here: https://www.owasp.org/index.php/CSV_Injection
58 * Based mitigation strategy on this report: https://asecurityz.blogspot.com/2017/12/csv-injection-mitigations.html
59 * 1. Remove all the following characters: = + " |
60 * 2. Only remove leading - characters (since need in dates)
61 * 3. Only remove leading @ characters (since need in email addresses)
62 * 4. Surround with double quotes (no reference link, but seems very reasonable, which will prevent commas from breaking things).
63 * If needed in future, will add a second parameter called 'options' which will be an array of option tokens that will allow
64 * less stringent (or more stringent) mechanisms to escape for csv.
66 function csvEscape($text)
68 // 1. Remove all the following characters: = + " |
69 $text = preg_replace('/[=+"|]/', '', $text);
71 // 2. Only remove leading - characters (since need in dates)
72 // 3. Only remove leading @ characters (since need in email addresses)
73 $text = preg_replace('/^[\-@]+/', '', $text);
75 // 4. Surround with double quotes (no reference link, but seems very reasonable, which will prevent commas from breaking things).
76 return '"' . $text . '"';
80 * Escape a PHP string for use as (part of) an HTML / XML text node.
82 * It only escapes a few special chars: the ampersand (&) and both the left-
83 * pointing angle bracket (<) and the right-pointing angle bracket (>), since
84 * these are the only characters that are special in a text node. Minimal
85 * quoting is preferred because it produces smaller and more easily human-
88 * Some characters simply cannot appear in valid XML documents, even
89 * as entities but, this function does not attempt to handle them.
91 * NOTE: Attribute values are NOT text nodes, and require additional escaping.
93 * @param string $text The string to escape, possibly including "&", "<",
95 * @return string The string, with "&", "<", and ">" escaped.
99 return htmlspecialchars($text, ENT_NOQUOTES
);
103 * Escape a PHP string for use as (part of) an HTML / XML attribute value.
105 * It escapes several special chars: the ampersand (&), the double quote
106 * ("), the singlequote ('), and both the left-pointing angle bracket (<)
107 * and the right-pointing angle bracket (>), since these are the characters
108 * that are special in an attribute value.
110 * Some characters simply cannot appear in valid XML documents, even
111 * as entities but, this function does not attempt to handle them.
113 * NOTE: This can be used as a "generic" HTML escape since it does maximal
114 * quoting. However, some HTML and XML contexts (CDATA) don't provide
115 * escape mechanisms. Also, further pre- or post-escaping might need to
116 * be done when embdedded other languages (like JavaScript) inside HTML /
119 * @param string $text The string to escape, possibly including (&), (<),
121 * @return string The string, with (&), (<), (>), ("), and (') escaped.
125 return htmlspecialchars($text, ENT_QUOTES
);
129 * Don't call this function. You don't see this function. This function
132 * TODO: Hide this function so it can be called from this file but not from
133 * PHP that includes / requires this file. Either that, or write reasonable
134 * documentation and clean up the name.
136 function hsc_private_xl_or_warn($key)
138 if (function_exists('xl')) {
142 'Translation via xl() was requested, but the xl()'
143 . ' function is not defined, yet.',
151 * Translate via xl() and then escape via text().
153 * @param string $key The string to escape, possibly including "&", "<",
155 * @return string The string, with "&", "<", and ">" escaped.
159 return text(hsc_private_xl_or_warn($key));
163 * Translate via xl() and then escape via attr().
165 * @param string $key The string to escape, possibly including (&), (<),
167 * @return string The string, with (&), (<), (>), ("), and (') escaped.
171 return attr(hsc_private_xl_or_warn($key));
175 * Translate via xl() and then escape via js_escape for use with javascript literals
179 return js_escape(hsc_private_xl_or_warn($key));
184 *Translate via xl() and then escape via addslashes for use with javascript literals
188 return addslashes(hsc_private_xl_or_warn($key));