Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

More fixes after feedback

  • Loading branch information...
commit c99480c52b21645d3fc41653bb193a3c429a8cbb 1 parent 51d68bb
@eoftedal authored
Showing with 17 additions and 1 deletion.
  1. +1 −1  lib/helmet.js
  2. +16 −0 test/escaping-test.js
View
2  lib/helmet.js
@@ -117,7 +117,7 @@ var helmet = {
return (/^on.*$/i).test(name);
},
"isUri": function(name) {
- return (/(href|src|formaction)/i).test(name);
+ return (/(href|src|formaction|action)/i).test(name);
},
"isStyle": function(name) {
return (/style/i).test(name);
View
16 test/escaping-test.js
@@ -58,6 +58,22 @@ describe("Helmet", function() {
var out = compiled.render({ "data" : "a&b" });
expect(out).toEqual("<div><a href='http://www.google.com/?q=a%26b'>hello</a></div>");
});
+ it("should use url encoding when inside url of formaction", function() {
+ var template = '<form id=x><button form=x formaction="<%= data %>">';
+ var compiled = helmet.compile(template);
+ var out = compiled.render({ "data" : "a&b" });
+ expect(out).toEqual('<form id=x><button form=x formaction="a%26b">');
+ });
+ it("should use url encoding when inside url", function() {
+ var template = '<form action="<%= data %>">';
+ var compiled = helmet.compile(template);
+ var out = compiled.render({ "data" : "a&b" });
+ expect(out).toEqual('<form action="a%26b">');
+ });
+
+
+
+
it("should javascript escape if inside string", function() {
var template = "<div><a onclick=\"var a = '<%= data %>'\">hello</a></div>";
Please sign in to comment.
Something went wrong with that request. Please try again.