library/htmlspecialchars.inc.php

   1 <?php
   2 /**
   3  * library/htmlspecialchars.inc.php Escaping Functions
   4  *
   5  * Copyright © 2011 Boyd Stephen Smith Jr.
   6  * This file is free software: you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation, either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This file is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  *
  19  * @package OpenEMR
  20  * @author Boyd Stephen Smith Jr.
  21  */
  22
  23 /**
  24  * Escape a PHP string for use as (part of) an HTML / XML text node.
  25  *
  26  * It only escapes a few special chars: the ampersand (&) and both the left-
  27  * pointing angle bracket (<) and the right-pointing angle bracket (>), since
  28  * these are the only characters that are special in a text node.  Minimal
  29  * quoting is preferred because it produces smaller and more easily human-
  30  * readable output.
  31  *
  32  * Some characters simply cannot appear in valid XML documents, even
  33  * as entities but, this function does not attempt to handle them.
  34  *
  35  * NOTE: Attribute values are NOT text nodes, and require additional escaping.
  36  *
  37  * @param string $text The string to escape, possibly including "&", "<",
  38  *                     or ">".
  39  * @return string The string, with "&", "<", and ">" escaped.
  40  */
  41 function text($text)
  42 {
  43     return htmlspecialchars($text, ENT_NOQUOTES);
  44 }
  45
  46 /**
  47  * Escape a PHP string for use as (part of) an HTML / XML attribute value.
  48  *
  49  * It escapes several special chars: the ampersand (&), the double quote
  50  * ("), the singlequote ('), and both the left-pointing angle bracket (<)
  51  * and the right-pointing angle bracket (>), since these are the characters
  52  * that are special in an attribute value.
  53  *
  54  * Some characters simply cannot appear in valid XML documents, even
  55  * as entities but, this function does not attempt to handle them.
  56  *
  57  * NOTE: This can be used as a "generic" HTML escape since it does maximal
  58  * quoting.  However, some HTML and XML contexts (CDATA) don't provide
  59  * escape mechanisms.  Also, further pre- or post-escaping might need to
  60  * be done when embdedded other languages (like JavaScript) inside HTML /
  61  * XML documents.
  62  *
  63  * @param string $text The string to escape, possibly including (&), (<),
  64  *                     (>), ('), and (").
  65  * @return string The string, with (&), (<), (>), ("), and (') escaped.
  66  */
  67 function attr($text)
  68 {
  69     return htmlspecialchars($text, ENT_QUOTES);
  70 }
  71
  72 /**
  73  * This function is a compatibility replacement for the out function removed
  74  *  from the CDR Admin framework.
  75  *
  76  * @param string $text The string to escape, possibly including (&), (<),
  77  *                     (>), ('), and (").
  78  * @return string The string, with (&), (<), (>), ("), and (') escaped.
  79  */
  80 function out($text)
  81 {
  82     return attr($text);
  83 }
  84
  85 /**
  86  * Don't call this function.  You don't see this function.  This function
  87  * doesn't exist.
  88  *
  89  * TODO: Hide this function so it can be called from this file but not from
  90  * PHP that includes / requires this file.  Either that, or write reasonable
  91  * documentation and clean up the name.
  92  */
  93 function hsc_private_xl_or_warn($key)
  94 {
  95     if (function_exists('xl')) {
  96         return xl($key);
  97     } else {
  98         trigger_error(
  99             'Translation via xl() was requested, but the xl()'
 100             . ' function is not defined, yet.',
 101             E_USER_WARNING
 102         );
 103         return $key;
 104     }
 105 }
 106
 107 /**
 108  * Translate via xl() and then escape via text().
 109  *
 110  * @param string $key The string to escape, possibly including "&", "<",
 111  *                    or ">".
 112  * @return string The string, with "&", "<", and ">" escaped.
 113  */
 114 function xlt($key)
 115 {
 116     return text(hsc_private_xl_or_warn($key));
 117 }
 118
 119 /**
 120  * Translate via xl() and then escape via attr().
 121  *
 122  * @param string $key The string to escape, possibly including (&), (<),
 123  *                    (>), ('), and (").
 124  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 125  */
 126 function xla($key)
 127 {
 128     return attr(hsc_private_xl_or_warn($key));
 129 }
 130
 131 /*
 132 Translate via xl() and then escape via addslashes for use with javascript literals
 133 */
 134 function xls($key)
 135 {
 136     return addslashes(hsc_private_xl_or_warn($key));
 137 }
 138 return; // Stop include / require from going any further (non-PHP)