/**
* Escapes an attribute value.
*
* Note htmlentities() is applied with ENT_QUOTES in order to avoid
* XSS through single-quote injection. However, it does not prevent strings
* containing javascript within single quotes on certain attributes like 'href'.
* Hence the strict option.
*/
public static function escape($str, $strict = false)
{
$str = htmlentities(Str::esc(trim($str)), ENT_QUOTES);
return $strict ? str_replace(array('javascript:', 'document.write'), '', $str) : $str;
}
/**
* Escape a string using fairly aggressive rules.
* Strips all tags and converts to html entities.
*
* @param string $string The string to sanitize.
* @param string $flag Strip or do nothing with high ASCII chars. (default:
* strip)
* @return string Sanitized string.
*/
function str_esc($string, $flag = Str::ESC_ASCII)
{
return \Phpf\Util\Str::esc($string, $flag);
}
