_is_safe_html = $string->_is_safe_html; $this->_is_purified_html = $string->_is_purified_html; $string = $string->unescaped(); } $this->_raw_string = (string) $string; } /** * Factory method returning a new SafeString instance for the given string. */ static function of($string) { return new SafeString($string); } /** * Factory method returning a new SafeString instance after HTML purifying * the given string. */ static function purify($string) { if ($string instanceof SafeString) { $string = $string->unescaped(); } $safe_string = self::of_safe_html(self::_purify_for_html($string)); $safe_string->_is_purified_html = true; return $safe_string; } /** * Factory method returning a new SafeString instance which won't HTML escape. */ static function of_safe_html($string) { $safe_string = new SafeString($string); $safe_string->_is_safe_html = true; return $safe_string; } /** * Safe for use in HTML. * @see #for_html() */ function __toString() { if ($this->_is_safe_html) { return $this->_raw_string; } else { return self::_escape_for_html($this->_raw_string); } } /** * Safe for use in HTML. * * Example:

   *    
   *

* @return the string escaped for use in HTML. */ function for_html() { return $this; } /** * Safe for use as JavaScript string. * * Example:

   *   
   *

* @return the string escaped for use in JavaScript. */ function for_js() { return json_encode((string) $this->_raw_string); } /** * Safe for use in HTML element attributes. * * Assumes that the HTML element attribute is already * delimited by single or double quotes * * Example:

   *     ;
   *   
   *

* @return the string escaped for use in HTML attributes. */ function for_html_attr() { $string = (string) $this->for_html(); return strtr($string, array("'"=>"'", '"'=>'"')); } /** * Safe for use HTML (purified HTML) * * Example:

   *   purified_html() ?> 
   *

* @return the string escaped for use in HTML. */ function purified_html() { if ($this->_is_purified_html) { return $this; } else { return self::purify($this); } } /** * Returns the raw, unsafe string. Do not use lightly. */ function unescaped() { return $this->_raw_string; } // Escapes special HTML chars ("<", ">", "&", etc.) to HTML entities. private static function _escape_for_html($dirty_html) { return html::specialchars($dirty_html); } // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript. private static function _purify_for_html($dirty_html) { if (empty(self::$_purifier)) { require_once(dirname(__file__) . "/../lib/HTMLPurifier/HTMLPurifier.auto.php"); $config = HTMLPurifier_Config::createDefault(); foreach (Kohana::config('purifier') as $category => $key_value) { foreach ($key_value as $key => $value) { $config->set("$category.$key", $value); } } self::$_purifier = new HTMLPurifier($config); } return self::$_purifier->purify($dirty_html); } }