library/htmlspecialchars.inc.php

   1 <?php
   2 /**
   3  * library/htmlspecialchars.inc.php Escaping Functions
   4  *
   5  * Copyright © 2011 Boyd Stephen Smith Jr.
   6  * This file is free software: you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation, either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This file is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  *
  19  * @package OpenEMR
  20  * @author Boyd Stephen Smith Jr.
  21  */
  22
  23 /**
  24  * Escape a PHP string for use as (part of) an HTML / XML text node.
  25  *
  26  * It only escapes a few special chars: the ampersand (&) and both the left-
  27  * pointing angle bracket (<) and the right-pointing angle bracket (>), since
  28  * these are the only characters that are special in a text node.  Minimal
  29  * quoting is preferred because it produces smaller and more easily human-
  30  * readable output.
  31  *
  32  * Some characters simply cannot appear in valid XML documents, even
  33  * as entities but, this function does not attempt to handle them.
  34  *
  35  * NOTE: Attribute values are NOT text nodes, and require additional escaping.
  36  *
  37  * @param string $text The string to escape, possibly including "&", "<",
  38  *                     or ">".
  39  * @return string The string, with "&", "<", and ">" escaped.
  40  */
  41 function text($text) {
  42         return htmlspecialchars($text, ENT_NOQUOTES);
  43 }
  44
  45 /**
  46  * Escape a PHP string for use as (part of) an HTML / XML attribute value.
  47  *
  48  * It escapes several special chars: the ampersand (&), the double quote
  49  * ("), the singlequote ('), and both the left-pointing angle bracket (<)
  50  * and the right-pointing angle bracket (>), since these are the characters
  51  * that are special in an attribute value.
  52  *
  53  * Some characters simply cannot appear in valid XML documents, even
  54  * as entities but, this function does not attempt to handle them.
  55  *
  56  * NOTE: This can be used as a "generic" HTML escape since it does maximal
  57  * quoting.  However, some HTML and XML contexts (CDATA) don't provide
  58  * escape mechanisms.  Also, further pre- or post-escaping might need to
  59  * be done when embdedded other languages (like JavaScript) inside HTML /
  60  * XML documents.
  61  *
  62  * @param string $text The string to escape, possibly including (&), (<),
  63  *                     (>), ('), and (").
  64  * @return string The string, with (&), (<), (>), ("), and (') escaped.
  65  */
  66 function attr($text) {
  67         return htmlspecialchars($text, ENT_QUOTES);
  68 }
  69
  70 /**
  71  * This function is a compatibility replacement for the out function removed
  72  *  from the CDR Admin framework.
  73  *
  74  * @param string $text The string to escape, possibly including (&), (<),
  75  *                     (>), ('), and (").
  76  * @return string The string, with (&), (<), (>), ("), and (') escaped.
  77  */
  78 function out($text) {
  79         return attr($text);
  80 }
  81
  82 /**
  83  * Don't call this function.  You don't see this function.  This function
  84  * doesn't exist.
  85  *
  86  * TODO: Hide this function so it can be called from this file but not from
  87  * PHP that includes / requires this file.  Either that, or write reasonable
  88  * documentation and clean up the name.
  89  */
  90 function hsc_private_xl_or_warn($key) {
  91         if (function_exists('xl')) {
  92                 return xl($key);
  93         } else {
  94                 trigger_error(
  95                         'Translation via xl() was requested, but the xl()'
  96                         . ' function is not defined, yet.',
  97                         E_USER_WARNING
  98                 );
  99                 return $key;
 100         }
 101 }
 102
 103 /**
 104  * Translate via xl() and then escape via text().
 105  *
 106  * @param string $key The string to escape, possibly including "&", "<",
 107  *                    or ">".
 108  * @return string The string, with "&", "<", and ">" escaped.
 109  */
 110 function xlt($key) {
 111         return text(hsc_private_xl_or_warn($key));
 112 }
 113
 114 /**
 115  * Translate via xl() and then escape via attr().
 116  *
 117  * @param string $key The string to escape, possibly including (&), (<),
 118  *                    (>), ('), and (").
 119  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 120  */
 121 function xla($key) {
 122         return attr(hsc_private_xl_or_warn($key));
 123 }
 124
 125 /*
 126 Translate via xl() and then escape via addslashes for use with javascript literals
 127 */
 128 function xls($key){
 129         return addslashes(hsc_private_xl_or_warn($key));
 130 }
 131 return; // Stop include / require from going any further (non-PHP)
 132 ?>