6 * @link http://www.open-emr.org
7 * @author Boyd Stephen Smith Jr.
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
10 * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
11 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
15 * Escape a javascript literal.
17 function js_escape($text)
19 return json_encode($text);
23 * Escape a javascript literal within html onclick attribute.
25 function attr_js($text)
27 return attr(json_encode($text));
31 * Escape html and url encode a url item.
33 function attr_url($text)
35 return attr(urlencode($text));
39 * Escape js and url encode a url item.
41 function js_url($text)
43 return js_escape(urlencode($text));
47 * Escape a PHP string for use as (part of) an HTML / XML text node.
49 * It only escapes a few special chars: the ampersand (&) and both the left-
50 * pointing angle bracket (<) and the right-pointing angle bracket (>), since
51 * these are the only characters that are special in a text node. Minimal
52 * quoting is preferred because it produces smaller and more easily human-
55 * Some characters simply cannot appear in valid XML documents, even
56 * as entities but, this function does not attempt to handle them.
58 * NOTE: Attribute values are NOT text nodes, and require additional escaping.
60 * @param string $text The string to escape, possibly including "&", "<",
62 * @return string The string, with "&", "<", and ">" escaped.
66 return htmlspecialchars($text, ENT_NOQUOTES
);
70 * Escape a PHP string for use as (part of) an HTML / XML attribute value.
72 * It escapes several special chars: the ampersand (&), the double quote
73 * ("), the singlequote ('), and both the left-pointing angle bracket (<)
74 * and the right-pointing angle bracket (>), since these are the characters
75 * that are special in an attribute value.
77 * Some characters simply cannot appear in valid XML documents, even
78 * as entities but, this function does not attempt to handle them.
80 * NOTE: This can be used as a "generic" HTML escape since it does maximal
81 * quoting. However, some HTML and XML contexts (CDATA) don't provide
82 * escape mechanisms. Also, further pre- or post-escaping might need to
83 * be done when embdedded other languages (like JavaScript) inside HTML /
86 * @param string $text The string to escape, possibly including (&), (<),
88 * @return string The string, with (&), (<), (>), ("), and (') escaped.
92 return htmlspecialchars($text, ENT_QUOTES
);
96 * This function is a compatibility replacement for the out function removed
97 * from the CDR Admin framework.
99 * @param string $text The string to escape, possibly including (&), (<),
101 * @return string The string, with (&), (<), (>), ("), and (') escaped.
109 * Don't call this function. You don't see this function. This function
112 * TODO: Hide this function so it can be called from this file but not from
113 * PHP that includes / requires this file. Either that, or write reasonable
114 * documentation and clean up the name.
116 function hsc_private_xl_or_warn($key)
118 if (function_exists('xl')) {
122 'Translation via xl() was requested, but the xl()'
123 . ' function is not defined, yet.',
131 * Translate via xl() and then escape via text().
133 * @param string $key The string to escape, possibly including "&", "<",
135 * @return string The string, with "&", "<", and ">" escaped.
139 return text(hsc_private_xl_or_warn($key));
143 * Translate via xl() and then escape via attr().
145 * @param string $key The string to escape, possibly including (&), (<),
147 * @return string The string, with (&), (<), (>), ("), and (') escaped.
151 return attr(hsc_private_xl_or_warn($key));
155 * Translate via xl() and then escape via js_escape for use with javascript literals
159 return js_escape(hsc_private_xl_or_warn($key));
164 *Translate via xl() and then escape via addslashes for use with javascript literals
168 return addslashes(hsc_private_xl_or_warn($key));