I’ve written a content management system that uses a server-side regular expression to escape ampersands in the page response just prior to it being sent to the client’s browser. The regular expression is mindful of ampersands that have already been escaped or are part of an HTML entity. For example, the following:

a & b, c & d, © 2009

gets changed to this:

a & b, c & d, © 2009

(Only the first & is modified.) Here is the regular expression, which was taken and modified from a Rails helper:

html.gsub(/&(?!([a-zA-Z][a-zA-Z0-9]*|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } 

While this works great, it does have a problem. The regular expression is not aware of any <![CDATA[ or ]]> that might be surrounding the unescaped ampersands. This is necessary for embedded JavaScript to remain untouched. For example, this:

<script type='text/javascript'>   // <![CDATA[   if (a && b) doSomething();   // ]]> </script> 

is unfortunately rendered as this:

<script type='text/javascript'>   // <![CDATA[   if (a &amp;&amp; b) doSomething();   // ]]> </script> 

which of course the JavaScript engines don’t understand.

My question is this: Is there a way to modify the regular expression to do exactly as it is doing now with the exception that it leaves text inside a CDATA section untouched?

Since the regular expression is not so simple to begin with, this question might be easier to answer: Is it possible to write a regular expression that will change all letters into a period except those letters between a ‘<‘ and a ‘>‘? For example, one that would change 'some <words> are < safe! >' into '.... <words> ... < safe! >'?