library/htmlspecialchars.inc.php

   1 <?php
   2 /**
   3  * Escaping Functions
   4  *
   5  * @package   OpenEMR
   6  * @link      http://www.open-emr.org
   7  * @author    Boyd Stephen Smith Jr.
   8  * @author    Brady Miller <brady.g.miller@gmail.com>
   9  * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
  10  * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
  11  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  12  */
  13
  14 /**
  15  * Escape a javascript literal.
  16  */
  17 function js_escape($text)
  18 {
  19     return json_encode($text);
  20 }
  21
  22 /**
  23  * Escape a javascript literal within html onclick attribute.
  24  */
  25 function attr_js($text)
  26 {
  27     return attr(json_encode($text));
  28 }
  29
  30 /**
  31  * Escape html and url encode a url item.
  32  */
  33 function attr_url($text)
  34 {
  35     return attr(urlencode($text));
  36 }
  37
  38 /**
  39  * Escape js and url encode a url item.
  40  */
  41 function js_url($text)
  42 {
  43     return js_escape(urlencode($text));
  44 }
  45
  46 /**
  47  * Escape a PHP string for use as (part of) an HTML / XML text node.
  48  *
  49  * It only escapes a few special chars: the ampersand (&) and both the left-
  50  * pointing angle bracket (<) and the right-pointing angle bracket (>), since
  51  * these are the only characters that are special in a text node.  Minimal
  52  * quoting is preferred because it produces smaller and more easily human-
  53  * readable output.
  54  *
  55  * Some characters simply cannot appear in valid XML documents, even
  56  * as entities but, this function does not attempt to handle them.
  57  *
  58  * NOTE: Attribute values are NOT text nodes, and require additional escaping.
  59  *
  60  * @param string $text The string to escape, possibly including "&", "<",
  61  *                     or ">".
  62  * @return string The string, with "&", "<", and ">" escaped.
  63  */
  64 function text($text)
  65 {
  66     return htmlspecialchars($text, ENT_NOQUOTES);
  67 }
  68
  69 /**
  70  * Escape a PHP string for use as (part of) an HTML / XML attribute value.
  71  *
  72  * It escapes several special chars: the ampersand (&), the double quote
  73  * ("), the singlequote ('), and both the left-pointing angle bracket (<)
  74  * and the right-pointing angle bracket (>), since these are the characters
  75  * that are special in an attribute value.
  76  *
  77  * Some characters simply cannot appear in valid XML documents, even
  78  * as entities but, this function does not attempt to handle them.
  79  *
  80  * NOTE: This can be used as a "generic" HTML escape since it does maximal
  81  * quoting.  However, some HTML and XML contexts (CDATA) don't provide
  82  * escape mechanisms.  Also, further pre- or post-escaping might need to
  83  * be done when embdedded other languages (like JavaScript) inside HTML /
  84  * XML documents.
  85  *
  86  * @param string $text The string to escape, possibly including (&), (<),
  87  *                     (>), ('), and (").
  88  * @return string The string, with (&), (<), (>), ("), and (') escaped.
  89  */
  90 function attr($text)
  91 {
  92     return htmlspecialchars($text, ENT_QUOTES);
  93 }
  94
  95 /**
  96  * This function is a compatibility replacement for the out function removed
  97  *  from the CDR Admin framework.
  98  *
  99  * @param string $text The string to escape, possibly including (&), (<),
 100  *                     (>), ('), and (").
 101  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 102  */
 103 function out($text)
 104 {
 105     return attr($text);
 106 }
 107
 108 /**
 109  * Don't call this function.  You don't see this function.  This function
 110  * doesn't exist.
 111  *
 112  * TODO: Hide this function so it can be called from this file but not from
 113  * PHP that includes / requires this file.  Either that, or write reasonable
 114  * documentation and clean up the name.
 115  */
 116 function hsc_private_xl_or_warn($key)
 117 {
 118     if (function_exists('xl')) {
 119         return xl($key);
 120     } else {
 121         trigger_error(
 122             'Translation via xl() was requested, but the xl()'
 123             . ' function is not defined, yet.',
 124             E_USER_WARNING
 125         );
 126         return $key;
 127     }
 128 }
 129
 130 /**
 131  * Translate via xl() and then escape via text().
 132  *
 133  * @param string $key The string to escape, possibly including "&", "<",
 134  *                    or ">".
 135  * @return string The string, with "&", "<", and ">" escaped.
 136  */
 137 function xlt($key)
 138 {
 139     return text(hsc_private_xl_or_warn($key));
 140 }
 141
 142 /**
 143  * Translate via xl() and then escape via attr().
 144  *
 145  * @param string $key The string to escape, possibly including (&), (<),
 146  *                    (>), ('), and (").
 147  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 148  */
 149 function xla($key)
 150 {
 151     return attr(hsc_private_xl_or_warn($key));
 152 }
 153
 154 /*
 155  * Translate via xl() and then escape via js_escape for use with javascript literals
 156  */
 157 function xlj($key)
 158 {
 159     return js_escape(hsc_private_xl_or_warn($key));
 160 }
 161
 162 /*
 163  * Deprecated
 164  *Translate via xl() and then escape via addslashes for use with javascript literals
 165  */
 166 function xls($key)
 167 {
 168     return addslashes(hsc_private_xl_or_warn($key));
 169 }