Magento 2 Documentation  2.3
Documentation for Magento 2 CMS v2.3 (December 2018)
Public Member Functions
Escaper Class Reference

Public Member Functions

 escapeHtml ($data, $allowedTags=null)
 
 escapeHtmlAttr ($string, $escapeSingleQuote=true)
 
 escapeUrl ($string)
 
 encodeUrlParam ($string)
 
 escapeJs ($string)
 
 escapeCss ($string)
 
 escapeJsQuote ($data, $quote='\'')
 
 escapeXssInUrl ($data)
 
 escapeQuote ($data, $addSlashes=false)
 

Detailed Description

Magento escape methods

@api

Since
100.0.2

Definition at line 15 of file Escaper.php.

Member Function Documentation

◆ encodeUrlParam()

encodeUrlParam (   $string)

Encode URL

Parameters
string$string
Returns
string
Since
101.0.0

Definition at line 228 of file Escaper.php.

229  {
230  return $this->getEscaper()->escapeUrl($string);
231  }

◆ escapeCss()

escapeCss (   $string)

Escape string for the CSS context

Parameters
string$string
Returns
string
Since
101.0.0

Definition at line 267 of file Escaper.php.

268  {
269  return $this->getEscaper()->escapeCss($string);
270  }

◆ escapeHtml()

escapeHtml (   $data,
  $allowedTags = null 
)

Escape string for HTML context.

AllowedTags will not be escaped, except the following: script, img, embed, iframe, video, source, object, audio

Parameters
string | array$data
array | null$allowedTags
Returns
string|array

Definition at line 60 of file Escaper.php.

61  {
62  if (!is_array($data)) {
63  $data = (string)$data;
64  }
65 
66  if (is_array($data)) {
67  $result = [];
68  foreach ($data as $item) {
69  $result[] = $this->escapeHtml($item, $allowedTags);
70  }
71  } elseif (strlen($data)) {
72  if (is_array($allowedTags) && !empty($allowedTags)) {
73  $allowedTags = $this->filterProhibitedTags($allowedTags);
74  $wrapperElementId = uniqid();
75  $domDocument = new \DOMDocument('1.0', 'UTF-8');
76  set_error_handler(
77  function ($errorNumber, $errorString) {
78  throw new \Exception($errorString, $errorNumber);
79  }
80  );
81  $string = mb_convert_encoding($data, 'HTML-ENTITIES', 'UTF-8');
82  try {
83  $domDocument->loadHTML(
84  '<html><body id="' . $wrapperElementId . '">' . $string . '</body></html>'
85  );
86  } catch (\Exception $e) {
87  restore_error_handler();
88  $this->getLogger()->critical($e);
89  }
90  restore_error_handler();
91 
92  $this->removeNotAllowedTags($domDocument, $allowedTags);
93  $this->removeNotAllowedAttributes($domDocument);
94  $this->escapeText($domDocument);
95  $this->escapeAttributeValues($domDocument);
96 
97  $result = mb_convert_encoding($domDocument->saveHTML(), 'UTF-8', 'HTML-ENTITIES');
98  preg_match('/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si', $result, $matches);
99  return !empty($matches) ? $matches[1] : '';
100  } else {
101  $result = htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8', false);
102  }
103  } else {
104  $result = $data;
105  }
106  return $result;
107  }
elseif(isset( $params[ 'redirect_parent']))
Definition: iframe.phtml:17
escapeHtml($data, $allowedTags=null)
Definition: Escaper.php:60

◆ escapeHtmlAttr()

escapeHtmlAttr (   $string,
  $escapeSingleQuote = true 
)

Escape a string for the HTML attribute context

Parameters
string$string
boolean$escapeSingleQuote
Returns
string
Since
101.0.0

Definition at line 202 of file Escaper.php.

203  {
204  if ($escapeSingleQuote) {
205  return $this->getEscaper()->escapeHtmlAttr((string) $string);
206  }
207  return htmlspecialchars((string)$string, ENT_COMPAT, 'UTF-8', false);
208  }

◆ escapeJs()

escapeJs (   $string)

Escape string for the JavaScript context

Parameters
string$string
Returns
string
Since
101.0.0

Definition at line 240 of file Escaper.php.

241  {
242  if ($string === '' || ctype_digit($string)) {
243  return $string;
244  }
245 
246  return preg_replace_callback(
247  '/[^a-z0-9,\._]/iSu',
248  function ($matches) {
249  $chr = $matches[0];
250  if (strlen($chr) != 1) {
251  $chr = mb_convert_encoding($chr, 'UTF-16BE', 'UTF-8');
252  $chr = ($chr === false) ? '' : $chr;
253  }
254  return sprintf('\\u%04s', strtoupper(bin2hex($chr)));
255  },
256  $string
257  );
258  }

◆ escapeJsQuote()

escapeJsQuote (   $data,
  $quote = '\'' 
)

Escape quotes in java script

Parameters
string | array$data
string$quote
Returns
string|array
Deprecated:
101.0.0

Definition at line 280 of file Escaper.php.

281  {
282  if (is_array($data)) {
283  $result = [];
284  foreach ($data as $item) {
285  $result[] = $this->escapeJsQuote($item, $quote);
286  }
287  } else {
288  $result = str_replace($quote, '\\' . $quote, (string)$data);
289  }
290  return $result;
291  }
escapeJsQuote($data, $quote='\'')
Definition: Escaper.php:280
$quote

◆ escapeQuote()

escapeQuote (   $data,
  $addSlashes = false 
)

Escape quotes inside html attributes

Use $addSlashes = false for escaping js that inside html attribute (onClick, onSubmit etc)

Parameters
string$data
bool$addSlashes
Returns
string
Deprecated:
101.0.0

Definition at line 336 of file Escaper.php.

337  {
338  if ($addSlashes === true) {
339  $data = addslashes($data);
340  }
341  return htmlspecialchars($data, ENT_QUOTES, null, false);
342  }

◆ escapeUrl()

escapeUrl (   $string)

Escape URL

Parameters
string$string
Returns
string

Definition at line 216 of file Escaper.php.

217  {
218  return $this->escapeHtml($this->escapeXssInUrl($string));
219  }
escapeHtml($data, $allowedTags=null)
Definition: Escaper.php:60

◆ escapeXssInUrl()

escapeXssInUrl (   $data)

Escape xss in urls

Parameters
string$data
Returns
string
Deprecated:
101.0.0

Definition at line 300 of file Escaper.php.

301  {
302  return htmlspecialchars(
303  $this->escapeScriptIdentifiers((string)$data),
304  ENT_COMPAT | ENT_HTML5 | ENT_HTML401,
305  'UTF-8',
306  false
307  );
308  }

The documentation for this class was generated from the following file: