From 2a0ec9641639f2f2fb77c1e565d2a109fbda6224 Mon Sep 17 00:00:00 2001
From: Johannes Raggam <thetetet@gmail.com>
Date: Sun, 2 Oct 2022 00:03:20 +0200
Subject: [PATCH 1/3] feat(Build): Add global switch
 window.__patternslib_disable_modernizr to optionally disable modernizr.

While this is convenient to quickly disable modernizr and also splits modernizr out from the main bundle entry file it was necessary for the clone-code pattern to get a clean code example for the whole html tree.
---
 src/patterns.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/patterns.js b/src/patterns.js
index 2a13cbecb..382d91ef6 100644
--- a/src/patterns.js
+++ b/src/patterns.js
@@ -5,7 +5,6 @@
 // Import base
 import "./globals";
 import registry from "./core/registry";
-import "modernizr";
 
 // Import all used patterns for the bundle to be generated
 import "./core/push_kit";
@@ -74,4 +73,12 @@ import "@patternslib/pat-upload";
 // Set to ``true`` to include core styles via JavaScript
 //window.__patternslib_import_styles = false;
 
+// Include modernizr per default.
+// Most of our styles depend on it.
+// You might want to disable it for your project by setting:
+// window.__patternslib_disable_modernizr = true;
+if (!window.__patternslib_disable_modernizr) {
+    import("modernizr");
+}
+
 registry.init();

From 97ca0b11a36c17e46d949f6204a7094c07a25332 Mon Sep 17 00:00:00 2001
From: Johannes Raggam <thetetet@gmail.com>
Date: Mon, 3 Oct 2022 00:04:12 +0200
Subject: [PATCH 2/3] maint(core utils): Improve escape/unescape for safer
 version which makes use use of browser features.

---
 src/core/utils.js | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/core/utils.js b/src/core/utils.js
index b96b20728..a582bc758 100644
--- a/src/core/utils.js
+++ b/src/core/utils.js
@@ -589,7 +589,9 @@ const localized_isodate = (date) => {
  * Replace HTML reserved characters with html entities to add HTML for user
  * editing to e.g. a textarea or a contenteditable.
  *
- * See: https://developer.mozilla.org/en-US/docs/Glossary/Entity#reserved_characters
+ * See:
+ *  https://stackoverflow.com/a/22706073/1337474
+ *  https://developer.mozilla.org/en-US/docs/Glossary/Entity#reserved_characters
  *
  * @param {string} html - The HTML string to encode.
  *
@@ -600,17 +602,21 @@ const localized_isodate = (date) => {
  *                     ``"`` will be replaced with ``&quot;``.
  */
 const escape_html = (html) => {
-    return (html || "")
-        .replace(/&/g, "&amp;") // needs to be first!
-        .replace(/</g, "&lt;")
-        .replace(/>/g, "&gt;")
-        .replace(/"/g, "&quot;");
+    if (!html) {
+        return "";
+    }
+    const el = document.createElement("div");
+    el.appendChild(document.createTextNode(html));
+    // Return escaped html and also replace quotes.
+    return el.innerHTML.replace(/"/g, "&quot;");
 };
 
 /**
  * Return unescaped, raw HTML from an escaped HTML  string.
  *
- * See: https://developer.mozilla.org/en-US/docs/Glossary/Entity#reserved_characters
+ * See:
+ *  https://stackoverflow.com/a/34064434/1337474
+ *  https://developer.mozilla.org/en-US/docs/Glossary/Entity#reserved_characters
  *
  * @param {string} escaped_html - The HTML string to decode.
  *
@@ -621,11 +627,12 @@ const escape_html = (html) => {
  *                     ``&quot;`` will be replaced with ``"``.
  */
 const unescape_html = (escaped_html) => {
-    return (escaped_html || "")
-        .replace(/&amp;/g, "&")
-        .replace(/&lt;/g, "<")
-        .replace(/&gt;/g, ">")
-        .replace(/&quot;/g, '"');
+    if (!escaped_html) {
+        return "";
+    }
+    const doc = new DOMParser().parseFromString(escaped_html, "text/html");
+    // Return unescaped html and also unescape quote named entities.
+    return doc.documentElement.textContent.replace(/&quot;/g, '"');
 };
 
 /**

From 8bec57af7a5722bfd6070b2cb039749b427f5d6e Mon Sep 17 00:00:00 2001
From: Johannes Raggam <thetetet@gmail.com>
Date: Sat, 1 Oct 2022 11:03:47 +0200
Subject: [PATCH 3/3] maint(core utils): safeClone - document which versions of
 IE are affected.

---
 src/core/utils.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/core/utils.js b/src/core/utils.js
index a582bc758..fc3ea03dd 100644
--- a/src/core/utils.js
+++ b/src/core/utils.js
@@ -5,8 +5,11 @@ const _MS_PER_DAY = 1000 * 60 * 60 * 24; // Milliseconds per day.
 
 $.fn.safeClone = function () {
     var $clone = this.clone();
-    // IE BUG : Placeholder text becomes actual value after deep clone on textarea
+    // IE 9-11 BUG : Placeholder text becomes actual value after deep clone on textarea
     // https://connect.microsoft.com/IE/feedback/details/781612/placeholder-text-becomes-actual-value-after-deep-clone-on-textarea
+    // Ref:
+    //     https://github.com/Patternslib/Patterns/issues/412
+    //     https://github.com/Patternslib/Patterns/pull/410
     if (window.document.documentMode) {
         $clone.findInclusive(":input[placeholder]").each(function (i, item) {
             var $item = $(item);