2525
2626/**
2727 * Context specific methods for use in secure output escaping
28+ *
29+ * @final
2830 */
2931class Escaper
3032{
@@ -49,7 +51,7 @@ class Escaper
4951 * Current encoding for escaping. If not UTF-8, we convert strings from this encoding
5052 * pre-escaping and back to this encoding post-escaping.
5153 *
52- * @var string
54+ * @var non-empty- string
5355 */
5456 protected $ encoding'utf-8 ' ;
5557
@@ -88,7 +90,7 @@ class Escaper
8890 /**
8991 * List of all encoding supported by this class
9092 *
91- * @var array
93+ * @var list<non-empty-string>
9294 */
9395 protected $ supportedEncodings
9496 'iso-8859-1 ' ,
@@ -131,6 +133,7 @@ class Escaper
131133 * Constructor: Single parameter allows setting of global encoding for use by
132134 * the current object.
133135 *
136+ * @param non-empty-string|null $encoding
134137 * @throws Exception\InvalidArgumentException
135138 */
136139 public function __construct (?string $ encodingnull )
@@ -159,25 +162,19 @@ public function __construct(?string $encoding = null)
159162 // set matcher callbacks
160163 $ this htmlAttrMatcher =
161164 /** @param array<array-key, string> $matches */
162- function (array $ matchesstring {
163- return $ this htmlAttrMatcher ($ matches
164- };
165+ fn (array $ matchesstring => $ this htmlAttrMatcher ($ matches
165166 $ this jsMatcher =
166167 /** @param array<array-key, string> $matches */
167- function (array $ matchesstring {
168- return $ this jsMatcher ($ matches
169- };
168+ fn (array $ matchesstring => $ this jsMatcher ($ matches
170169 $ this cssMatcher =
171170 /** @param array<array-key, string> $matches */
172- function (array $ matchesstring {
173- return $ this cssMatcher ($ matches
174- };
171+ fn (array $ matchesstring => $ this cssMatcher ($ matches
175172 }
176173
177174 /**
178175 * Return the encoding that all output/input is expected to be encoded in.
179176 *
180- * @return string
177+ * @return non-empty- string
181178 */
182179 public function getEncoding ()
183180 {
@@ -188,7 +185,7 @@ public function getEncoding()
188185 * Escape a string for the HTML Body context where there are very few characters
189186 * of special meaning. Internally this will use htmlspecialchars().
190187 *
191- * @return string
188+ * @return ($ string is non-empty-string ? non-empty-string : string)
192189 */
193190 public function escapeHtml (string $ string
194191 {
@@ -200,7 +197,7 @@ public function escapeHtml(string $string)
200197 * to escape that are not covered by htmlspecialchars() to cover cases where an attribute
201198 * might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE).
202199 *
203- * @return string
200+ * @return ($ string is non-empty-string ? non-empty-string : string)
204201 */
205202 public function escapeHtmlAttr (string $ string
206203 {
@@ -222,7 +219,7 @@ public function escapeHtmlAttr(string $string)
222219 * Backslash escaping is not used as it still leaves the escaped character as-is and so
223220 * is not useful in a HTML context.
224221 *
225- * @return string
222+ * @return ($ string is non-empty-string ? non-empty-string : string)
226223 */
227224 public function escapeJs (string $ string
228225 {
@@ -240,7 +237,7 @@ public function escapeJs(string $string)
240237 * an entire URI - only a subcomponent being inserted. The function is a simple proxy
241238 * to rawurlencode() which now implements RFC 3986 since PHP 5.3 completely.
242239 *
243- * @return string
240+ * @return ($ string is non-empty-string ? non-empty-string : string)
244241 */
245242 public function escapeUrl (string $ string
246243 {
@@ -251,7 +248,7 @@ public function escapeUrl(string $string)
251248 * Escape a string for the CSS context. CSS escaping can be applied to any string being
252249 * inserted into CSS and escapes everything except alphanumerics.
253250 *
254- * @return string
251+ * @return ($ string is non-empty-string ? non-empty-string : string)
255252 */
256253 public function escapeCss (string $ string
257254 {
0 commit comments