/** * Escapes an attribute value. * * Note htmlentities() is applied with ENT_QUOTES in order to avoid * XSS through single-quote injection. However, it does not prevent strings * containing javascript within single quotes on certain attributes like 'href'. * Hence the strict option. */ public static function escape($str, $strict = false) { $str = htmlentities(Str::esc(trim($str)), ENT_QUOTES); return $strict ? str_replace(array('javascript:', 'document.write'), '', $str) : $str; }
/** * Escape a string using fairly aggressive rules. * Strips all tags and converts to html entities. * * @param string $string The string to sanitize. * @param string $flag Strip or do nothing with high ASCII chars. (default: * strip) * @return string Sanitized string. */ function str_esc($string, $flag = Str::ESC_ASCII) { return \Phpf\Util\Str::esc($string, $flag); }