htmlEscape static method
Escapes double quote '"' and single quote ''' characters in addition to '&', '<', and '>' so that a string can be included in an HTML tag attribute value within double or single quotes.
It should be noted that > doesn't need to be escaped for the HTML or XML to be valid, but it has been decided to escape it for consistency with other implementations.
With goog.string.DETECT_DOUBLE_ESCAPING, this function escapes also the lowercase letter "e".
NOTE(user): HtmlEscape is often called during the generation of large blocks of HTML. Using statics for the regular expressions and strings is an optimization that can more than half the amount of time IE spends in this function for large apps, since strings and regexes both contribute to GC allocations.
Testing for the presence of a character before escaping increases the number of function calls, but actually provides a speed increase for the average case -- since the average case often doesn't require the escaping of all 4 characters and indexOf() is much cheaper than replaceAll(). The worst case does suffer slightly from the additional calls, therefore the opt_isLikelyToContainHtmlChars option has been included for situations where all 4 HTML entities are very likely to be present and need escaping.
Some benchmarks (times tended to fluctuate +-0.05ms): FireFox IE6 (no chars / average (mix of cases) / all 4 chars) no checks 0.13 / 0.22 / 0.22 0.23 / 0.53 / 0.80 indexOf 0.08 / 0.17 / 0.26 0.22 / 0.54 / 0.84 indexOf + re test 0.07 / 0.17 / 0.28 0.19 / 0.50 / 0.85
An additional advantage of checking if replace actually needs to be called is a reduction in the number of object allocations, so as the size of the application grows the difference between the various methods would increase.
@param {string} str string to be escaped. @param {bool=} opt_isLikelyToContainHtmlChars Don't perform a check to see if the character needs replacing - use this option if you expect each of the characters to appear often. Leave false if you expect few html characters to occur in your strings, such as if you are escaping HTML. @return {string} An escaped copy of {@code str}.
Implementation
static String htmlEscape(String str)
{
// quick test helps in the case when there are no chars to replace, in
// worst case this makes barely a difference to the time taken
if ( _ALL_RE.hasMatch(str) )
{
// str.indexOf is faster than regex.test in this case
if (str.indexOf('&') != -1) {
str = str.replaceAll(_AMP_RE, "&");
}
if (str.indexOf('<') != -1) {
str = str.replaceAll(_LT_RE, "<");
}
if (str.indexOf('>') != -1) {
str = str.replaceAll(_GT_RE, ">");
}
if (str.indexOf('"') != -1) {
str = str.replaceAll(_QUOT_RE, """);
}
if (str.indexOf("'") != -1) {
str = str.replaceAll(_SINGLE_QUOTE_RE, "'");
}
if (str.indexOf("\\x00") != -1) {
str = str.replaceAll(_NULL_RE, "�");
}
}
return str;
}