PHP's htmlspecialchars in JavaScript

Here’s what our current JavaScript equivalent to PHP's htmlspecialchars looks like.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
module.exports = function htmlspecialchars (string, quoteStyle, charset, doubleEncode) {
// discuss at: http://locutus.io/php/htmlspecialchars/
// original by: Mirek Slugen
// improved by: Kevin van Zonneveld (http://kvz.io)
// bugfixed by: Nathan
// bugfixed by: Arno
// bugfixed by: Brett Zamir (http://brett-zamir.me)
// bugfixed by: Brett Zamir (http://brett-zamir.me)
// revised by: Kevin van Zonneveld (http://kvz.io)
// input by: Ratheous
// input by: Mailfaker (http://www.weedem.fr/)
// input by: felix
// reimplemented by: Brett Zamir (http://brett-zamir.me)
// note 1: charset argument not supported
// example 1: htmlspecialchars("<a href='test'>Test</a>", 'ENT_QUOTES')
// returns 1: '&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;'
// example 2: htmlspecialchars("ab\"c'd", ['ENT_NOQUOTES', 'ENT_QUOTES'])
// returns 2: 'ab"c&#039;d'
// example 3: htmlspecialchars('my "&entity;" is still here', null, null, false)
// returns 3: 'my &quot;&entity;&quot; is still here'

var optTemp = 0
var i = 0
var noquotes = false
if (typeof quoteStyle === 'undefined' || quoteStyle === null) {
quoteStyle = 2
}
string = string || ''
string = string.toString()

if (doubleEncode !== false) {
// Put this first to avoid double-encoding
string = string.replace(/&/g, '&amp;')
}

string = string
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')

var OPTS = {
'ENT_NOQUOTES': 0,
'ENT_HTML_QUOTE_SINGLE': 1,
'ENT_HTML_QUOTE_DOUBLE': 2,
'ENT_COMPAT': 2,
'ENT_QUOTES': 3,
'ENT_IGNORE': 4
}
if (quoteStyle === 0) {
noquotes = true
}
if (typeof quoteStyle !== 'number') {
// Allow for a single string or an array of string flags
quoteStyle = [].concat(quoteStyle)
for (i = 0; i < quoteStyle.length; i++) {
// Resolve string input to bitwise e.g. 'ENT_IGNORE' becomes 4
if (OPTS[quoteStyle[i]] === 0) {
noquotes = true
} else if (OPTS[quoteStyle[i]]) {
optTemp = optTemp | OPTS[quoteStyle[i]]
}
}
quoteStyle = optTemp
}
if (quoteStyle & OPTS.ENT_HTML_QUOTE_SINGLE) {
string = string.replace(/'/g, '&#039;')
}
if (!noquotes) {
string = string.replace(/"/g, '&quot;')
}

return string
}
[ View on GitHub | Edit on GitHub | Source on GitHub ]

How to use

You you can install via npm install locutus and require it via require('locutus/php/strings/htmlspecialchars'). You could also require the strings module in full so that you could access strings.htmlspecialchars instead.

If you intend to target the browser, you can then use a module bundler such as Browserify, webpack or rollup.js.

ES5/ES6

This function targets ES5, but as of Locutus 2.0.2 we also support ES6 functions. Locutus transpiles to ES5 before publishing to npm.

A community effort

Not unlike Wikipedia, Locutus is an ongoing community effort. Our philosophy follows The McDonald’s Theory. This means that we don't consider it to be a bad thing that many of our functions are first iterations, which may still have their fair share of issues. We hope that these flaws will inspire others to come up with better ideas.

This way of working also means that we don't offer any production guarantees, and recommend to use Locutus inspiration and learning purposes only.

Notes

  • charset argument not supported

Examples

Please note that these examples are distilled from test cases that automatically verify our functions still work correctly. This could explain some quirky ones.

#codeexpected result
1htmlspecialchars("<a href='test'>Test</a>", 'ENT_QUOTES')'&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;'
2htmlspecialchars("ab\"c'd", ['ENT_NOQUOTES', 'ENT_QUOTES'])'ab"c&#039;d'
3htmlspecialchars('my "&entity;" is still here', null, null, false)'my &quot;&entity;&quot; is still here'

« More PHP strings functions