_is_safe_html = $string->_is_safe_html; $string = $string->unescaped(); } $this->_raw_string = (string) $string; } /** * Factory method returning a new SafeString instance for the given string. */ static function of($string) { return new SafeString($string); } /** * Factory method returning a new SafeString instance after HTML purifying * the given string. */ static function purify($string) { if ($string instanceof SafeString) { if ($string->_is_safe_html) { return $string; } else { $string = $string->unescaped(); } } $safe_string = self::of_safe_html(self::_purify_for_html($string)); return $safe_string; } /** * Factory method returning a new SafeString instance which won't HTML escape. */ static function of_safe_html($string) { $safe_string = new SafeString($string); $safe_string->_is_safe_html = true; return $safe_string; } /** * Safe for use in HTML. * @see #for_html() */ function __toString() { if ($this->_is_safe_html) { return $this->_raw_string; } else { return self::_escape_for_html($this->_raw_string); } } /** * Safe for use in HTML. * * Example:
   *   

   *
* @return the string escaped for use in HTML. */ function for_html() { return $this; } /** * Safe for use as JavaScript string. * * Example:
   *   
   *
* @return the string escaped for use in JavaScript. */ function for_js() { return json_encode((string) $this->_raw_string); } /** * Safe for use in HTML element attributes. * * Assumes that the HTML element attribute is already * delimited by single or double quotes * * Example:
   *     ;
   *   
   *
* @return the string escaped for use in HTML attributes. */ function for_html_attr() { $string = (string) $this->for_html(); return strtr($string, array("'"=>"'", '"'=>'"')); } /** * Safe for use HTML (purified HTML) * * Example:
   *   
purified_html() ?>
   *
* @return the string escaped for use in HTML. */ function purified_html() { return self::purify($this); } /** * Returns the raw, unsafe string. Do not use lightly. */ function unescaped() { return $this->_raw_string; } /** * Escape special HTML chars ("<", ">", "&", etc.) to HTML entities. */ private static function _escape_for_html($dirty_html) { return html::chars($dirty_html); } /** * Purify the string, removing any potentially malicious or unsafe HTML / JavaScript. */ private static function _purify_for_html($dirty_html) { if (method_exists("purifier", "purify")) { return purifier::purify($dirty_html); } else { return self::_escape_for_html($dirty_html); } } }