Skip to content
This repository
Browse code

Escape source code before outputting to HTML.

Closes #15.
  • Loading branch information...
commit 89519da10720f37526bf451ead24fcab527f3d77 1 parent f9e5e4e
Domenic Denicola authored April 09, 2012

Showing 1 changed file with 13 additions and 5 deletions. Show diff stats Hide diff stats

  1. 18  reporters/html.js
18  reporters/html.js
... ...
@@ -1,6 +1,14 @@
1 1
 var fs = require('fs');
2 2
 var _ = require('underscore');
3 3
 
  4
+function htmlEscape(string) {
  5
+    return string.replace(/&/g, "&")
  6
+                 .replace(/</g, "&lt;")
  7
+                 .replace(/>/g, "&gt;")
  8
+                 .replace(/"/g, "&quot;")
  9
+                 .replace(/'/g, "&#39;");
  10
+}
  11
+
4 12
 module.exports = {
5 13
     name: "html",
6 14
     format: function(coverageData) {
@@ -15,7 +23,7 @@ module.exports = {
15 23
             var lineOutput = [];
16 24
             if (!stats.coverage.hasOwnProperty(line + 1)) {
17 25
                 lineOutput.push("<span class='covered'>  ");
18  
-                lineOutput.push(sourceLine);
  26
+                lineOutput.push(htmlEscape(sourceLine));
19 27
                 lineOutput.push("</span>");
20 28
             }
21 29
             else {
@@ -25,7 +33,7 @@ module.exports = {
25 33
                 if (!lineInfo.partial) {
26 34
                     // If it isn't partial, then we can just append the entire line
27 35
                     lineOutput.push("<span class='uncovered'>  ");
28  
-                    lineOutput.push(sourceLine.replace(/</g, "&lt;"));
  36
+                    lineOutput.push(htmlEscape(sourceLine));
29 37
                     lineOutput.push("</span>");
30 38
                 }
31 39
                 else {
@@ -35,17 +43,17 @@ module.exports = {
35 43
                         curStart = j == 0 ? 0 : (lineInfo.missing[j-1].endCol + 1);
36 44
                         curEnd = lineInfo.missing[j].startCol;
37 45
                         
38  
-                        lineOutput.push(sourceLine.slice(curStart, curEnd).replace(/</g, "&lt;"));
  46
+                        lineOutput.push(htmlEscape(sourceLine.slice(curStart, curEnd)));
39 47
                         
40 48
                         lineOutput.push("<span class='partialuncovered'>");
41  
-                        lineOutput.push(sourceLine.slice(lineInfo.missing[j].startCol, lineInfo.missing[j].endCol + 1).replace(/</g, "&lt;"));
  49
+                        lineOutput.push(htmlEscape(sourceLine.slice(lineInfo.missing[j].startCol, lineInfo.missing[j].endCol + 1)));
42 50
                         lineOutput.push("</span>");
43 51
                     }
44 52
                     
45 53
                     // Add the straggling part
46 54
                     curStart = lineInfo.missing[lineInfo.missing.length - 1].endCol + 1;
47 55
                     curEnd = sourceLine.length;
48  
-                    lineOutput.push(sourceLine.slice(curStart, curEnd).replace(/</g, "&lt;"));
  56
+                    lineOutput.push(htmlEscape(sourceLine.slice(curStart, curEnd)));
49 57
                     
50 58
                     lineOutput.push("</span>");
51 59
                 }

0 notes on commit 89519da

Please sign in to comment.
Something went wrong with that request. Please try again.