Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(html_tag): escape html and encode url by default #93

Merged
merged 4 commits into from
Sep 16, 2019
Merged

fix(html_tag): escape html and encode url by default #93

merged 4 commits into from
Sep 16, 2019

Conversation

curbengh
Copy link
Contributor

@curbengh curbengh commented Sep 16, 2019
edited
Loading

Related to hexojs/hexo#3704 (cc @dailyrandomphoto)
This is to transform

<a href="/posts/test1/" title="this is a title with <a tag>.">this is a text with </a><a tag="">.</a>

to

<a href="/posts/test1/" title="this is a title with &lt;a tag&gt;.">this is a text with &lt;/a&gt;&lt;a tag=""&gt;.</a>

There is an option to disable escape just the text.

htmlTag('a', {href: 'http://foo.com'}, '<b>bold</b> text', false)
<a href="http://foo.com"><b>bold</b> text</a>

@coveralls
Copy link

coveralls commented Sep 16, 2019
edited
Loading

Coverage Status

Coverage increased (+0.05%) to 96.491% when pulling 9c8bfe2 on curbengh:escape-html into 968a91b on hexojs:master.

@curbengh curbengh requested a review from a team September 16, 2019 04:01
SukkaW
SukkaW previously approved these changes Sep 16, 2019
View reviewed changes
@curbengh curbengh requested a review from SukkaW September 16, 2019 04:19
@curbengh
Copy link
Contributor Author

Just updated docs.

@curbengh curbengh merged commit 6155112 into hexojs:master Sep 16, 2019
@curbengh curbengh deleted the escape-html branch September 16, 2019 06:00
@curbengh curbengh mentioned this pull request Sep 16, 2019
Closed
dailyrandomphoto
dailyrandomphoto reviewed Sep 16, 2019
View reviewed changes
lib/html_tag.js
if (attrs[i] === null || typeof attrs[i] === 'undefined') result += '';
else {
if (i === 'href' || i === 'src') result += ` ${i}="${encodeURL(attrs[i])}"`;
else result += ` ${escapeHTML(i)}="${escapeHTML(String(attrs[i]))}"`;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not safe to escape attributes when which value is url.
e.g.

data-url="http://example.com/"
=>
data-url="http:&#x2F;&#x2F;example.com&#x2F;"

I think escape " is enough.

else result += ` ${escapeHTML(i)}="${String(attrs[i]).replace(/"/g, "&quot;")}"`;

test/html_tag.spec.js
bar: '<b>'
}, '<baz>', false).should.eql('<foo bar="&lt;b&gt;"><baz></foo>');
});

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add these test cases.

  it('tag + data-attrs', () => {
    htmlTag('foo', {
      'data-url': 'http://example.com/'
    }, '<baz>').should.eql('<foo data-url="http://example.com/">&lt;baz&gt;</foo>');
  });

  it('tag + bad attrs', () => {
    htmlTag('foo', {
      'bar': 'bar" class="badclass'
    }, '<baz>').should.eql('<foo bar="bar&quot; class=&quot;badclass">&lt;baz&gt;</foo>');
  });

  it('nested tags', () => {
    htmlTag('div', {
    	'class': 'parent'
    }, htmlTag('a', {
    	'href': 'http://example.com/'
    }, 'link'), false).should.eql('<div class="parent"><a href="http://example.com/">link</a></div>');
  });

This was referenced Sep 20, 2019
Closed
Merged
@stevenjoezhang stevenjoezhang mentioned this pull request Sep 23, 2019
Closed
@curbengh curbengh restored the escape-html branch October 28, 2019 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dailyrandomphoto dailyrandomphoto dailyrandomphoto left review comments

@tomap tomap tomap approved these changes

@SukkaW SukkaW Awaiting requested review from SukkaW

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@curbengh @coveralls @tomap @SukkaW @dailyrandomphoto