Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(html_tag): escape html and encode url by default #93

Merged
merged 4 commits into from Sep 16, 2019

Conversation

@curbengh
Copy link
Contributor

commented Sep 16, 2019

Related to hexojs/hexo#3704 (cc @dailyrandomphoto)
This is to transform

<a href="/posts/test1/" title="this is a title with <a tag>.">this is a text with </a><a tag="">.</a>

to

<a href="/posts/test1/" title="this is a title with &lt;a tag&gt;.">this is a text with &lt;/a&gt;&lt;a tag=""&gt;.</a>

There is an option to disable escape just the text.

htmlTag('a', {href: 'http://foo.com'}, '<b>bold</b> text', false)
<a href="http://foo.com"><b>bold</b> text</a>
curbengh added 4 commits Sep 15, 2019
@coveralls

This comment has been minimized.

Copy link

commented Sep 16, 2019

Coverage Status

Coverage increased (+0.05%) to 96.491% when pulling 9c8bfe2 on curbengh:escape-html into 968a91b on hexojs:master.

@curbengh curbengh requested a review from hexojs/core Sep 16, 2019
@curbengh curbengh requested a review from SukkaW Sep 16, 2019
@curbengh

This comment has been minimized.

Copy link
Contributor Author

commented Sep 16, 2019

Just updated docs.

@tomap
tomap approved these changes Sep 16, 2019
@curbengh curbengh merged commit 6155112 into hexojs:master Sep 16, 2019
3 checks passed
3 checks passed
Travis CI - Pull Request Build Passed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
coverage/coveralls Coverage increased (+0.05%) to 96.491%
Details
@curbengh curbengh deleted the curbengh:escape-html branch Sep 16, 2019
@curbengh curbengh referenced this pull request Sep 16, 2019
if (attrs[i] === null || typeof attrs[i] === 'undefined') result += '';
else {
if (i === 'href' || i === 'src') result += ` ${i}="${encodeURL(attrs[i])}"`;
else result += ` ${escapeHTML(i)}="${escapeHTML(String(attrs[i]))}"`;

This comment has been minimized.

Copy link
@dailyrandomphoto

dailyrandomphoto Sep 16, 2019

Contributor

It's not safe to escape attributes when which value is url.
e.g.

data-url="http://example.com/"
=>
data-url="http:&#x2F;&#x2F;example.com&#x2F;"

I think escape " is enough.

else result += ` ${escapeHTML(i)}="${String(attrs[i]).replace(/"/g, "&quot;")}"`;
bar: '<b>'
}, '<baz>', false).should.eql('<foo bar="&lt;b&gt;"><baz></foo>');
});

This comment has been minimized.

Copy link
@dailyrandomphoto

dailyrandomphoto Sep 16, 2019

Contributor

Can you add these test cases.

  it('tag + data-attrs', () => {
    htmlTag('foo', {
      'data-url': 'http://example.com/'
    }, '<baz>').should.eql('<foo data-url="http://example.com/">&lt;baz&gt;</foo>');
  });

  it('tag + bad attrs', () => {
    htmlTag('foo', {
      'bar': 'bar" class="badclass'
    }, '<baz>').should.eql('<foo bar="bar&quot; class=&quot;badclass">&lt;baz&gt;</foo>');
  });

  it('nested tags', () => {
    htmlTag('div', {
    	'class': 'parent'
    }, htmlTag('a', {
    	'href': 'http://example.com/'
    }, 'link'), false).should.eql('<div class="parent"><a href="http://example.com/">link</a></div>');
  });
This was referenced Sep 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.