Make content XSS safe #153
Labels
Comments
|
a nice way of doing this: const assert = require('assert');
class HtmlEscapedString extends String {
constructor(parts, subs) {
super();
this._parts = Array.isArray(parts) ? parts : [parts];
this._subs = subs || [];
}
_escapeHtml(unsafe) {
if (unsafe instanceof HtmlEscapedString) {
return unsafe;
}
return String(unsafe)
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}
toString() {
return this._parts.reduce((result, part, i) => {
return result + this._escapeHtml(this._subs[i - 1]).toString() + part;
});
}
}
function HTML (parts, ...subs) {
return new HtmlEscapedString(parts, subs);
}
assert.strictEqual(String(HTML`<a>`), '<a>');
assert.strictEqual(String(HTML`${'<a>'}`), '<a>');
assert.strictEqual(String(HTML`${HTML`<a>`}`), '<a>');
assert.strictEqual(String(HTML`${HTML`${'<a>'}`}`), '<a>');
assert.strictEqual(String(HTML('<a>')), '<a>');
assert.strictEqual(HTML` <a> `.trim(), '<a>');This has the added benefit that you can't forget to escape a substitution if your outer string is tagged with |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
escape all rendered content to avoid possibility of tempered HAR to inject code.
See #149 as reference.
The text was updated successfully, but these errors were encountered: