HumHub Documentation (unofficial)

Escaper
in package

Context specific methods for use in secure output escaping

Table of Contents

Properties

$cssMatcher  : callable
Static Matcher which escapes characters for CSS Attribute contexts
$encoding  : string
Current encoding for escaping. If not UTF-8, we convert strings from this encoding pre-escaping and back to this encoding post-escaping.
$htmlAttrMatcher  : callable
Static Matcher which escapes characters for HTML Attribute contexts
$htmlNamedEntityMap  : array<int, string>
Entity Map mapping Unicode codepoints to any available named HTML entities.
$htmlSpecialCharsFlags  : int
Holds the value of the special flags passed as second parameter to htmlspecialchars().
$jsMatcher  : callable
Static Matcher which escapes characters for Javascript contexts
$supportedEncodings  : array<string|int, mixed>
List of all encoding supported by this class

Methods

__construct()  : mixed
Constructor: Single parameter allows setting of global encoding for use by the current object.
escapeCss()  : string
Escape a string for the CSS context. CSS escaping can be applied to any string being inserted into CSS and escapes everything except alphanumerics.
escapeHtml()  : string
Escape a string for the HTML Body context where there are very few characters of special meaning. Internally this will use htmlspecialchars().
escapeHtmlAttr()  : string
Escape a string for the HTML Attribute context. We use an extended set of characters to escape that are not covered by htmlspecialchars() to cover cases where an attribute might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE).
escapeJs()  : string
Escape a string for the Javascript context. This does not use json_encode(). An extended set of characters are escaped beyond ECMAScript's rules for Javascript literal string escaping in order to prevent misinterpretation of Javascript as HTML leading to the injection of special characters and entities. The escaping used should be tolerant of cases where HTML escaping was not applied on top of Javascript escaping correctly.
escapeUrl()  : string
Escape a string for the URI or Parameter contexts. This should not be used to escape an entire URI - only a subcomponent being inserted. The function is a simple proxy to rawurlencode() which now implements RFC 3986 since PHP 5.3 completely.
getEncoding()  : string
Return the encoding that all output/input is expected to be encoded in.
convertEncoding()  : string
Encoding conversion helper which wraps mb_convert_encoding
cssMatcher()  : string
Callback function for preg_replace_callback that applies CSS escaping to all matches.
fromUtf8()  : string
Converts a string from UTF-8 to the base encoding. The base encoding is set via this
htmlAttrMatcher()  : string
Callback function for preg_replace_callback that applies HTML Attribute escaping to all matches.
isUtf8()  : bool
Checks if a given string appears to be valid UTF-8 or not.
jsMatcher()  : string
Callback function for preg_replace_callback that applies Javascript escaping to all matches.
toUtf8()  : string
Converts a string to UTF-8 from the base encoding. The base encoding is set via this

Properties

$cssMatcher

Static Matcher which escapes characters for CSS Attribute contexts

protected callable $cssMatcher
Tags
psalm-var

callable(array<array-key, string>):string

$encoding

Current encoding for escaping. If not UTF-8, we convert strings from this encoding pre-escaping and back to this encoding post-escaping.

protected string $encoding = 'utf-8'

$htmlAttrMatcher

Static Matcher which escapes characters for HTML Attribute contexts

protected callable $htmlAttrMatcher
Tags
psalm-var

callable(array<array-key, string>):string

$htmlNamedEntityMap

Entity Map mapping Unicode codepoints to any available named HTML entities.

protected static array<int, string> $htmlNamedEntityMap = [ 34 => 'quot', // quotation mark 38 => 'amp', // ampersand 60 => 'lt', // less-than sign 62 => 'gt', ]

While HTML supports far more named entities, the lowest common denominator has become HTML5's XML Serialisation which is restricted to the those named entities that XML supports. Using HTML entities would result in this error: XML Parsing Error: undefined entity

$htmlSpecialCharsFlags

Holds the value of the special flags passed as second parameter to htmlspecialchars().

protected int $htmlSpecialCharsFlags

$jsMatcher

Static Matcher which escapes characters for Javascript contexts

protected callable $jsMatcher
Tags
psalm-var

callable(array<array-key, string>):string

$supportedEncodings

List of all encoding supported by this class

protected array<string|int, mixed> $supportedEncodings = ['iso-8859-1', 'iso8859-1', 'iso-8859-5', 'iso8859-5', 'iso-8859-15', 'iso8859-15', 'utf-8', 'cp866', 'ibm866', '866', 'cp1251', 'windows-1251', 'win-1251', '1251', 'cp1252', 'windows-1252', '1252', 'koi8-r', 'koi8-ru', 'koi8r', 'big5', '950', 'gb2312', '936', 'big5-hkscs', 'shift_jis', 'sjis', 'sjis-win', 'cp932', '932', 'euc-jp', 'eucjp', 'eucjp-win', 'macroman']

Methods

__construct()

Constructor: Single parameter allows setting of global encoding for use by the current object.

public __construct([string|null $encoding = null ]) : mixed
Parameters
$encoding : string|null = null
Tags
throws
InvalidArgumentException

escapeCss()

Escape a string for the CSS context. CSS escaping can be applied to any string being inserted into CSS and escapes everything except alphanumerics.

public escapeCss(string $string) : string
Parameters
$string : string
Return values
string

escapeHtml()

Escape a string for the HTML Body context where there are very few characters of special meaning. Internally this will use htmlspecialchars().

public escapeHtml(string $string) : string
Parameters
$string : string
Return values
string

escapeHtmlAttr()

Escape a string for the HTML Attribute context. We use an extended set of characters to escape that are not covered by htmlspecialchars() to cover cases where an attribute might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE).

public escapeHtmlAttr(string $string) : string
Parameters
$string : string
Return values
string

escapeJs()

Escape a string for the Javascript context. This does not use json_encode(). An extended set of characters are escaped beyond ECMAScript's rules for Javascript literal string escaping in order to prevent misinterpretation of Javascript as HTML leading to the injection of special characters and entities. The escaping used should be tolerant of cases where HTML escaping was not applied on top of Javascript escaping correctly.

public escapeJs(string $string) : string

Backslash escaping is not used as it still leaves the escaped character as-is and so is not useful in a HTML context.

Parameters
$string : string
Return values
string

escapeUrl()

Escape a string for the URI or Parameter contexts. This should not be used to escape an entire URI - only a subcomponent being inserted. The function is a simple proxy to rawurlencode() which now implements RFC 3986 since PHP 5.3 completely.

public escapeUrl(string $string) : string
Parameters
$string : string
Return values
string

getEncoding()

Return the encoding that all output/input is expected to be encoded in.

public getEncoding() : string
Return values
string

convertEncoding()

Encoding conversion helper which wraps mb_convert_encoding

protected convertEncoding(string $string, string $to, array<string|int, mixed>|string $from) : string
Parameters
$string : string
$to : string
$from : array<string|int, mixed>|string
Return values
string

cssMatcher()

Callback function for preg_replace_callback that applies CSS escaping to all matches.

protected cssMatcher(array<string|int, string> $matches) : string
Parameters
$matches : array<string|int, string>
Return values
string

fromUtf8()

Converts a string from UTF-8 to the base encoding. The base encoding is set via this

protected fromUtf8(string $string) : string
Parameters
$string : string
Return values
string

htmlAttrMatcher()

Callback function for preg_replace_callback that applies HTML Attribute escaping to all matches.

protected htmlAttrMatcher(array<string|int, string> $matches) : string
Parameters
$matches : array<string|int, string>
Return values
string

isUtf8()

Checks if a given string appears to be valid UTF-8 or not.

protected isUtf8(string $string) : bool
Parameters
$string : string
Return values
bool

jsMatcher()

Callback function for preg_replace_callback that applies Javascript escaping to all matches.

protected jsMatcher(array<string|int, string> $matches) : string
Parameters
$matches : array<string|int, string>
Return values
string

toUtf8()

Converts a string to UTF-8 from the base encoding. The base encoding is set via this

protected toUtf8(string $string) : string
Parameters
$string : string
Tags
throws
RuntimeException
Return values
string 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results