From: Mischa POSLAWSKY <perl@shiar.org>
Date: Mon, 11 Feb 2008 02:44:29 +0000 (+0000)
Subject: EscapeHTML function
X-Git-Tag: 3.23~4
X-Git-Url: http://git.shiar.net/perl/plp/.git/commitdiff_plain/958d374e19b67a3c68050a1dd29f7a10a44c74c9?hp=958d374e19b67a3c68050a1dd29f7a10a44c74c9

EscapeHTML function

Another function to encode html/xml, this time (imho) the "right" way by
only quoting reserved characters.  The provided Entity() function would
often be unusable because of its overcomplete whitespace formatting.
This is a feature which I (have to) set up manually in many cases, which
seems very unfriendly for a module optimised for outputting HTML.

According to personal preferences, it only substitutes a minimal set of
entities:
- &amp; and &lt; (both required to prevent html interpretation)
- &gt; (for xml or otherwise to ease document parsing)
- &quot; (to make it usable in attribute values).

Single quotes (&#39; or &apos;) are left unquoted, assuming attributes are
always in double quotes (no reason to do otherwise).
Unlike Entity, it only handles a single argument, to allow for possible
options in the future (hopefully supporting a custom range of unsafe chars).
It also dies on failure (like trying to change read-only input), because
that is a user mistake which should not go unnoticed.

The name was devised to be more consistent with other environments (also
anticipating new URI encoding and decoding):

* php                   htmlspecialchars  html_entity_decode urlrawencode       urldecode
* javascript                                                 encodeURIComponent decodeURIComponent
* ruby CGI              escapeHTML        unescapeHTML       escape             unescape
- CGI::Simple::Util     escapeHTML        unescapeHTML       escape             unescape
- CGI::Util             (simple_escape)                      escape             unescape
- HTML::Mason::Escapes  basic_html_escape                    url_escape
- HTML::Tiny            entity_encode                        url_encode         url_decode
* URI::Escape                                                uri_escape_utf8    uri_unescape
* XML::Quote            xml_quote         xml_dequote
- PLP (legacy)          Entity                               EncodeURI          DecodeURI
- PLP (redesign)        EscapeHTML        UnescapeHTML       EscapeURI          UnescapeURI

HTML:
- Escape etc used nearly everywhere (so the obvious choice).
- Decode is only used by php, but uglily and inconsistently.
- Quote seems most appropriate linguistically, but only used in one minority
  module.

URIs:
- Encode etc common in php and javascript.
- Escape etc used by ruby and several perl modules (including URI::Escape),
  and is still familiar to javascript users
- URI used in all significant environemnts; URL only in minor modules.
---