Permalink
Browse files

Better escaping

  • Loading branch information...
eoftedal committed Nov 13, 2012
1 parent c99480c commit 2991c5d72883dc813d6571b0aa20c51e388c2af4
Showing with 10 additions and 5 deletions.
  1. +10 −5 lib/helmet.js
View
@@ -4,7 +4,7 @@ var helmet = {
"compile" : function(template) {
var tags = [];
var t;
- var augmented = template.replace(/<%=((?:.|\r|\n)*?)%>/g, function(match, group) {
+ var augmented = template.replace(/<%=([\s\S]*?)%>/g, function(match, group) {
var k = helmet.key();
tags.push({key: k, content: group });
return k;
@@ -22,8 +22,8 @@ var helmet = {
}
augmented = augmented.replace(new RegExp(tags[t].key, "g"), '" + helmet.' + tags[t].func + '(' + tags[t].content + ') + "' );
}
- augmented = augmented.replace(/<%-((?:.|\r|\n)*?)%>/g, '" + $1 + "');
- augmented = augmented.replace(/<%((?:.|\r|\n)*?)%>/g, '");\n $1 \n __helmet.push("');
+ augmented = augmented.replace(/<%-([\s\S]*?)%>/g, '" + $1 + "');
+ augmented = augmented.replace(/<%([\s\S]*?)%>/g, '");\n $1 \n __helmet.push("');
augmented = 'with(scope) { var __helmet = [];\n __helmet.push("' + augmented + '");\nreturn __helmet.join("") }';
return { "render": new Function("scope", augmented) };
},
@@ -86,7 +86,7 @@ var helmet = {
if (helmet.safeInAttributes.indexOf(data.charAt(i)) > -1) {
result.push(data.charAt(i));
} else {
- result.push("&#x" + data.charCodeAt(i).toString(16) + ";");
+ result.push("&#x" + helmet.zeropad(data.charCodeAt(i).toString(16), 2) + ";");
}
}
return result.join("");
@@ -98,12 +98,17 @@ var helmet = {
var c = data.charCodeAt(i);
if (c >= 97 && c <= 122 || c >= 65 && c <= 90 || c >= 48 && c <= 57) {
result.push(String.fromCharCode(c));
+ } else if (c <= 0xff) {
+ result.push("\\x" + helmet.zeropad(c.toString(16), 2));
} else {
- result.push("\\x" + (c < 16 ? "0" : "") + c.toString(16));
+ result.push("\\u" + helmet.zeropad(c.toString(16), 4));
}
}
return result.join("");
},
+ "zeropad": function(numberStr, zeros) {
+ return ("0000" + numberStr).substring(4 + numberStr.length - zeros);
+ },
"escapeUri" : function(data) {
return helmet.escapeHtmlAttribute(window.encodeURIComponent(data));
},

0 comments on commit 2991c5d

Please sign in to comment.