PHP's htmlspecialchars in JavaScript

How to use

You you can install via yarn add locutus and require this function via const htmlspecialchars = require('locutus/php/strings/htmlspecialchars').

It is important to use a bundler that supports tree-shaking so that you only ship the functions that you actually use to your browser, instead of all of Locutus, which is massive. Examples are: Parcel, webpack, or rollup.js. For server-side use this is typically less of a concern.

Examples

Please note that these examples are distilled from test cases that automatically verify our functions still work correctly. This could explain some quirky ones.

#codeexpected result
1htmlspecialchars("<a href='test'>Test</a>", 'ENT_QUOTES')'&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;'
2htmlspecialchars("ab\"c'd", ['ENT_NOQUOTES', 'ENT_QUOTES'])'ab"c&#039;d'
3htmlspecialchars('my "&entity;" is still here', null, null, false)'my &quot;&entity;&quot; is still here'

Notes

  • charset argument not supported

Here’s what our current JavaScript equivalent to PHP's htmlspecialchars looks like.

module.exports = function htmlspecialchars(string, quoteStyle, charset, doubleEncode) {
// discuss at: https://locutus.io/php/htmlspecialchars/
// original by: Mirek Slugen
// improved by: Kevin van Zonneveld (https://kvz.io)
// bugfixed by: Nathan
// bugfixed by: Arno
// bugfixed by: Brett Zamir (https://brett-zamir.me)
// bugfixed by: Brett Zamir (https://brett-zamir.me)
// revised by: Kevin van Zonneveld (https://kvz.io)
// input by: Ratheous
// input by: Mailfaker (https://www.weedem.fr/)
// input by: felix
// reimplemented by: Brett Zamir (https://brett-zamir.me)
// note 1: charset argument not supported
// example 1: htmlspecialchars("<a href='test'>Test</a>", 'ENT_QUOTES')
// returns 1: '&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;'
// example 2: htmlspecialchars("ab\"c'd", ['ENT_NOQUOTES', 'ENT_QUOTES'])
// returns 2: 'ab"c&#039;d'
// example 3: htmlspecialchars('my "&entity;" is still here', null, null, false)
// returns 3: 'my &quot;&entity;&quot; is still here'

let optTemp = 0
let i = 0
let noquotes = false
if (typeof quoteStyle === 'undefined' || quoteStyle === null) {
quoteStyle = 2
}
string = string || ''
string = string.toString()

if (doubleEncode !== false) {
// Put this first to avoid double-encoding
string = string.replace(/&/g, '&amp;')
}

string = string.replace(/</g, '&lt;').replace(/>/g, '&gt;')

const OPTS = {
ENT_NOQUOTES: 0,
ENT_HTML_QUOTE_SINGLE: 1,
ENT_HTML_QUOTE_DOUBLE: 2,
ENT_COMPAT: 2,
ENT_QUOTES: 3,
ENT_IGNORE: 4,
}
if (quoteStyle === 0) {
noquotes = true
}
if (typeof quoteStyle !== 'number') {
// Allow for a single string or an array of string flags
quoteStyle = [].concat(quoteStyle)
for (i = 0; i < quoteStyle.length; i++) {
// Resolve string input to bitwise e.g. 'ENT_IGNORE' becomes 4
if (OPTS[quoteStyle[i]] === 0) {
noquotes = true
} else if (OPTS[quoteStyle[i]]) {
optTemp = optTemp | OPTS[quoteStyle[i]]
}
}
quoteStyle = optTemp
}
if (quoteStyle & OPTS.ENT_HTML_QUOTE_SINGLE) {
string = string.replace(/'/g, '&#039;')
}
if (!noquotes) {
string = string.replace(/"/g, '&quot;')
}

return string
}

A community effort

Not unlike Wikipedia, Locutus is an ongoing community effort. Our philosophy follows The McDonald’s Theory. This means that we assimilate first iterations with imperfections, hoping for others to take issue with-and improve them. This unorthodox approach has worked very well to foster fun and fruitful collaboration, but please be reminded to use our creations at your own risk. THE SOFTWARE IS PROVIDED "AS IS" has never been more true than for Locutus.

Now go and: [ View on GitHub | Edit on GitHub | View Raw ]


« More PHP strings functions


Star