/**
* Escape a string for the HTML Attribute context. We use an extended set of characters
* to escape that are not covered by htmlspecialchars() to cover cases where an attribute
* might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE).
*
* @return string
*/
public function escapeHtmlAttr(string
$string) { $string =
$this->
toUtf8($string);
if ($string === '' ||
ctype_digit($string)) { return $string;
} $result =
preg_replace_callback('/[^a-z0-9,\.\-_]/iSu',
$this->htmlAttrMatcher,
$string);
return $this->
fromUtf8($result);
} /**
* Escape a string for the Javascript context. This does not use json_encode(). An extended
* set of characters are escaped beyond ECMAScript's rules for Javascript literal string
* escaping in order to prevent misinterpretation of Javascript as HTML leading to the
* injection of special characters and entities. The escaping used should be tolerant
* of cases where HTML escaping was not applied on top of Javascript escaping correctly.
* Backslash escaping is not used as it still leaves the escaped character as-is and so
* is not useful in a HTML context.
*
* @return string
*/