Merge pull request facebook#23 from RSO/fix-lt-gt-entities

Make sure less-than and great-than characters are properly encoded.

test/__tests__/create-element-to-jsx-test.js

@@ -48,6 +48,8 @@ describe('create-element-to-jsx', () => {
     test('create-element-to-jsx', 'create-element-to-jsx-call-expression-as-prop');
 
     test('create-element-to-jsx', 'create-element-to-jsx-allow-member-expression');
+
+    test('create-element-to-jsx', 'create-element-to-jsx-gt-lt-entities');
   });
 
   it('raises when it does not recognize a property type', () => {

test/create-element-to-jsx-gt-lt-entities.js

@@ -0,0 +1,3 @@
+var React = require('React');
+
+React.createElement('div', null, '\x3C\x3E');

test/create-element-to-jsx-gt-lt-entities.output.js

@@ -0,0 +1,3 @@
+var React = require('React');
+
+<div>&lt;&gt;</div>;

transforms/create-element-to-jsx.js

@@ -2,6 +2,10 @@ module.exports = function(file, api, options) {
   const j = api.jscodeshift;
   const root = j(file.source);
   const ReactUtils = require('./utils/ReactUtils')(j);
+  const encodeJSXTextValue = value =>
+    value
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;');
 
   const convertExpressionToJSXAttributes = (expression) => {
     const isReactSpread = expression.type === 'CallExpression' &&
@@ -89,7 +93,7 @@ module.exports = function(file, api, options) {
 
     const children = node.value.arguments.slice(2).map((child, index) => {
       if (child.type === 'Literal' && typeof child.value === 'string') {
-        return j.jsxText(child.value);
+        return j.jsxText(encodeJSXTextValue(child.value));
       } else if (child.type === 'CallExpression' &&
         child.callee.object &&
         child.callee.object.name === 'React' &&