module.exports = function htmlspecialchars(string, quoteStyle, charset, doubleEncode) { // discuss at: https://locutus.io/php/htmlspecialchars/ // original by: Mirek Slugen // improved by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Nathan // bugfixed by: Arno // bugfixed by: Brett Zamir (https://brett-zamir.me) // bugfixed by: Brett Zamir (https://brett-zamir.me) // revised by: Kevin van Zonneveld (https://kvz.io) // input by: Ratheous // input by: Mailfaker (https://www.weedem.fr/) // input by: felix // reimplemented by: Brett Zamir (https://brett-zamir.me) // note 1: charset argument not supported // example 1: htmlspecialchars("Test", 'ENT_QUOTES') // returns 1: '<a href='test'>Test</a>' // example 2: htmlspecialchars("ab\"c'd", ['ENT_NOQUOTES', 'ENT_QUOTES']) // returns 2: 'ab"c'd' // example 3: htmlspecialchars('my "&entity;" is still here', null, null, false) // returns 3: 'my "&entity;" is still here' let optTemp = 0 let i = 0 let noquotes = false if (typeof quoteStyle === 'undefined' || quoteStyle === null) { quoteStyle = 2 } string = string || '' string = string.toString() if (doubleEncode !== false) { // Put this first to avoid double-encoding string = string.replace(/&/g, '&') } string = string.replace(//g, '>') const OPTS = { ENT_NOQUOTES: 0, ENT_HTML_QUOTE_SINGLE: 1, ENT_HTML_QUOTE_DOUBLE: 2, ENT_COMPAT: 2, ENT_QUOTES: 3, ENT_IGNORE: 4, } if (quoteStyle === 0) { noquotes = true } if (typeof quoteStyle !== 'number') { // Allow for a single string or an array of string flags quoteStyle = [].concat(quoteStyle) for (i = 0; i < quoteStyle.length; i++) { // Resolve string input to bitwise e.g. 'ENT_IGNORE' becomes 4 if (OPTS[quoteStyle[i]] === 0) { noquotes = true } else if (OPTS[quoteStyle[i]]) { optTemp = optTemp | OPTS[quoteStyle[i]] } } quoteStyle = optTemp } if (quoteStyle & OPTS.ENT_HTML_QUOTE_SINGLE) { string = string.replace(/'/g, ''') } if (!noquotes) { string = string.replace(/"/g, '"') } return string }