Provides utility methods for escaping strings.
/**
* Html special characters
*
* @type {Object}
*/
var HTML_CHARS = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/',
'`': '`'
},
/**
* Provides utility methods for escaping strings.
*
* @type {Object}
*/
Escape = {
/**
* Returns a copy of the specified string with special HTML characters
* escaped. The following characters will be converted to their
* corresponding character entities:
*
* & < > " ' / `
*
* This implementation is based on the [OWASP HTML escaping
* recommendations][1]. In addition to the characters in the OWASP
* recommendations, we also escape the <code>`</code> character,
* since IE interprets it as an attribute delimiter.
*
* If _string_ is not already a string, it will be coerced to a string.
*
* http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
*
* @param {String} string String to escape.
* @return {String} Escaped string.
*/
html: function (string) {
return (string + '').replace(/[&<>"'\/`]/g, Escape._htmlReplacer);
},
/**
* Returns a copy of the specified string with special regular
* expression characters escaped, allowing the string to be used safely
* inside a regex. The following characters, and all whitespace
* characters, are escaped:
*
* - $ ^ * ( ) + [ ] { } | \ , . ?
*
* If _string_ is not already a string, it will be coerced to a string.
*
* @param {String} string String to escape.
* @return {String} Escaped string.
*/
regex: function (string) {
// There's no need to escape !, =, and : since they only have
// meaning when they follow a parenthesized ?, as in (?:...), and we
// already escape parens and question marks.
return (string + '').replace(/[\-$\^*()+\[\]{}|\\,.?\s]/g, '\\$&');
},
/**
* Regex replacer for HTML escaping.
*
* @param {String} match Matched character (must exist in HTML_CHARS).
* @return {String} HTML entity.
*/
_htmlReplacer: function (match) {
return HTML_CHARS[match];
}
};