6 * @link https://www.open-emr.org
7 * @author Boyd Stephen Smith Jr.
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
10 * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
11 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
15 * Escape a javascript literal.
17 function js_escape($text)
19 return json_encode($text);
23 * Escape a javascript literal within html onclick attribute.
25 function attr_js($text)
27 return attr(json_encode($text));
31 * Escape html and url encode a url item.
33 function attr_url($text)
35 return attr(urlencode($text));
39 * Escape js and url encode a url item.
41 function js_url($text)
43 return js_escape(urlencode($text));
47 * Escape variables that are outputted into the php error log.
49 function errorLogEscape($text)
55 * Escape variables that are outputted into csv and spreadsheet files.
56 * See here: https://www.owasp.org/index.php/CSV_Injection
57 * Based mitigation strategy on this report: https://asecurityz.blogspot.com/2017/12/csv-injection-mitigations.html
58 * 1. Remove all the following characters: = + " |
59 * 2. Only remove leading - characters (since need in dates)
60 * 3. Only remove leading @ characters (since need in email addresses)
61 * 4. Surround with double quotes (no reference link, but seems very reasonable, which will prevent commas from breaking things).
62 * If needed in future, will add a second parameter called 'options' which will be an array of option tokens that will allow
63 * less stringent (or more stringent) mechanisms to escape for csv.
65 function csvEscape($text)
67 // 1. Remove all the following characters: = + " |
68 $text = preg_replace('/[=+"|]/', '', $text);
70 // 2. Only remove leading - characters (since need in dates)
71 // 3. Only remove leading @ characters (since need in email addresses)
72 $text = preg_replace('/^[\-@]+/', '', $text);
74 // 4. Surround with double quotes (no reference link, but seems very reasonable, which will prevent commas from breaking things).
75 return '"' . $text . '"';
79 * Escape a PHP string for use as (part of) an HTML / XML text node.
81 * It only escapes a few special chars: the ampersand (&) and both the left-
82 * pointing angle bracket (<) and the right-pointing angle bracket (>), since
83 * these are the only characters that are special in a text node. Minimal
84 * quoting is preferred because it produces smaller and more easily human-
87 * Some characters simply cannot appear in valid XML documents, even
88 * as entities but, this function does not attempt to handle them.
90 * NOTE: Attribute values are NOT text nodes, and require additional escaping.
92 * @param string $text The string to escape, possibly including "&", "<",
94 * @return string The string, with "&", "<", and ">" escaped.
98 return htmlspecialchars($text, ENT_NOQUOTES
);
102 * Escape a PHP string for use as (part of) an HTML / XML attribute value.
104 * It escapes several special chars: the ampersand (&), the double quote
105 * ("), the singlequote ('), and both the left-pointing angle bracket (<)
106 * and the right-pointing angle bracket (>), since these are the characters
107 * that are special in an attribute value.
109 * Some characters simply cannot appear in valid XML documents, even
110 * as entities but, this function does not attempt to handle them.
112 * NOTE: This can be used as a "generic" HTML escape since it does maximal
113 * quoting. However, some HTML and XML contexts (CDATA) don't provide
114 * escape mechanisms. Also, further pre- or post-escaping might need to
115 * be done when embdedded other languages (like JavaScript) inside HTML /
118 * @param string $text The string to escape, possibly including (&), (<),
120 * @return string The string, with (&), (<), (>), ("), and (') escaped.
124 return htmlspecialchars($text, ENT_QUOTES
);
128 * Don't call this function. You don't see this function. This function
131 * TODO: Hide this function so it can be called from this file but not from
132 * PHP that includes / requires this file. Either that, or write reasonable
133 * documentation and clean up the name.
135 function hsc_private_xl_or_warn($key)
137 if (function_exists('xl')) {
141 'Translation via xl() was requested, but the xl()'
142 . ' function is not defined, yet.',
150 * Translate via xl() and then escape via text().
152 * @param string $key The string to escape, possibly including "&", "<",
154 * @return string The string, with "&", "<", and ">" escaped.
158 return text(hsc_private_xl_or_warn($key));
162 * Translate via xl() and then escape via attr().
164 * @param string $key The string to escape, possibly including (&), (<),
166 * @return string The string, with (&), (<), (>), ("), and (') escaped.
170 return attr(hsc_private_xl_or_warn($key));
174 * Translate via xl() and then escape via js_escape for use with javascript literals
178 return js_escape(hsc_private_xl_or_warn($key));
183 *Translate via xl() and then escape via addslashes for use with javascript literals
187 return addslashes(hsc_private_xl_or_warn($key));