Skip to content

Commit

Permalink
Always escape < in text regardless of decodeEntities
Browse files Browse the repository at this point in the history
  • Loading branch information
@thorn0
thorn0 committed Sep 3, 2018
1 parent d26e453 commit f9051d1
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 3 deletions.
12 changes: 9 additions & 3 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,9 +131,15 @@ function renderDirective(elem) {
function renderText(elem, opts) {
var data = elem.data || '';

// if entities weren't decoded, no need to encode them back
if (opts.decodeEntities && !(elem.parent && elem.parent.name in unencodedElements)) {
data = entities.encodeXML(data);
if (!(elem.parent && elem.parent.name in unencodedElements)) {
if (opts.decodeEntities) {
data = entities.encodeXML(data);
} else {
// If entities weren't decoded, no need to encode them back.
// Nevertheless let's escape `<` as it's able to sneak in unescaped,
// see https://github.com/fb55/htmlparser2/issues/105
data = data.replace(/</g, '&lt;');
}
}

return data;
Expand Down
6 changes: 6 additions & 0 deletions test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,4 +124,10 @@ function testBody(html) {
var str = '<iframe src="test"></iframe>';
expect(html(str)).to.equal(str);
});

it('should always escape < in text nodes', function() {
// from https://github.com/fb55/htmlparser2/issues/105
var str = '<<img src="javascript:evil"/>img src="javascript:evil"/>';
expect(html(str)).to.match(/^&lt;<img src="/);
});
}

0 comments on commit f9051d1

Please sign in to comment.