You are here

protected function Escaper::htmlAttrMatcher in Zircon Profile 8.0

Same name and namespace in other branches
  1. 8 vendor/zendframework/zend-escaper/src/Escaper.php \Zend\Escaper\Escaper::htmlAttrMatcher()

Callback function for preg_replace_callback that applies HTML Attribute escaping to all matches.

Parameters

array $matches:

Return value

string

File

vendor/zendframework/zend-escaper/src/Escaper.php, line 231

Class

Escaper
Context specific methods for use in secure output escaping

Namespace

Zend\Escaper

Code

protected function htmlAttrMatcher($matches) {
  $chr = $matches[0];
  $ord = ord($chr);

  /**
   * The following replaces characters undefined in HTML with the
   * hex entity for the Unicode replacement character.
   */
  if ($ord <= 0x1f && $chr != "\t" && $chr != "\n" && $chr != "\r" || $ord >= 0x7f && $ord <= 0x9f) {
    return '&#xFFFD;';
  }

  /**
   * Check if the current character to escape has a name entity we should
   * replace it with while grabbing the integer value of the character.
   */
  if (strlen($chr) > 1) {
    $chr = $this
      ->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
  }
  $hex = bin2hex($chr);
  $ord = hexdec($hex);
  if (isset(static::$htmlNamedEntityMap[$ord])) {
    return '&' . static::$htmlNamedEntityMap[$ord] . ';';
  }

  /**
   * Per OWASP recommendations, we'll use upper hex entities
   * for any other characters where a named entity does not exist.
   */
  if ($ord > 255) {
    return sprintf('&#x%04X;', $ord);
  }
  return sprintf('&#x%02X;', $ord);
}