escape text in lexer

kbrsh · May 7, 2019 · 7b0542d · 7b0542d
1 parent 68925af
commit 7b0542d
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 3 deletions.
diff --git a/packages/moon/dist/moon.js b/packages/moon/dist/moon.js
@@ -89,11 +89,31 @@
 	 */
 
 	var expressionRE = /"[^"]*"|'[^']*'|\d+[a-zA-Z$_]\w*|\.[a-zA-Z$_]\w*|[a-zA-Z$_]\w*:|([a-zA-Z$_]\w*)/g;
+	/**
+	 * Capture special characters in text that need to be escaped.
+	 */
+
+	var textRE = /&amp;|&gt;|&lt;|&nbsp;|&quot;|\\|"|\n|\r/g;
 	/**
 	 * List of global variables to ignore in expression scoping
 	 */
 
 	var globals = ["NaN", "false", "in", "null", "this", "true", "typeof", "undefined", "window"];
+	/**
+	 * Map from special characters to a safe format for JavaScript string literals.
+	 */
+
+	var escapeTextMap = {
+		"&amp;": "&",
+		"&gt;": ">",
+		"&lt;": "<",
+		"&nbsp;": " ",
+		"&quot;": "\\\"",
+		"\\": "\\\\",
+		"\"": "\\\"",
+		"\n": "\\n",
+		"\r": "\\r"
+	};
 	/**
 	 * Checks if a given character is a quote.
 	 *
@@ -104,6 +124,18 @@
 	function isQuote(_char) {
 		return _char === "\"" || _char === "'";
 	}
+	/**
+	 * Escape text to make it usable in a JavaScript string literal.
+	 *
+	 * @param {string} text
+	 */
+
+
+	function escapeText(text) {
+		return text.replace(textRE, function (match) {
+			return escapeTextMap[match];
+		});
+	}
 	/**
 	 * Scope an expression to use variables within the `data` object.
 	 *
@@ -340,7 +372,7 @@
 						type: "tagOpen",
 						value: "text",
 						attributes: {
-							"": "\"" + text + "\""
+							"": "\"" + escapeText(text) + "\""
 						},
 						closed: true
 					});

diff --git a/packages/moon/dist/moon.min.js b/packages/moon/dist/moon.min.js
diff --git a/packages/moon/src/compiler/lexer/lexer.js b/packages/moon/src/compiler/lexer/lexer.js
@@ -24,11 +24,31 @@ const attributeRE = /\s*([\w\d-_:@]*)(?:=(?:("[^"]*"|'[^']*')|{([^{}]*)}))?/g;
  */
 const expressionRE = /"[^"]*"|'[^']*'|\d+[a-zA-Z$_]\w*|\.[a-zA-Z$_]\w*|[a-zA-Z$_]\w*:|([a-zA-Z$_]\w*)/g;
 
+/**
+ * Capture special characters in text that need to be escaped.
+ */
+const textRE = /&amp;|&gt;|&lt;|&nbsp;|&quot;|\\|"|\n|\r/g;
+
 /**
  * List of global variables to ignore in expression scoping
  */
 const globals = ["NaN", "false", "in", "null", "this", "true", "typeof", "undefined", "window"];
 
+/**
+ * Map from special characters to a safe format for JavaScript string literals.
+ */
+const escapeTextMap = {
+	"&amp;": "&",
+	"&gt;": ">",
+	"&lt;": "<",
+	"&nbsp;": " ",
+	"&quot;": "\\\"",
+	"\\": "\\\\",
+	"\"": "\\\"",
+	"\n": "\\n",
+	"\r": "\\r"
+};
+
 /**
  * Checks if a given character is a quote.
  *
@@ -39,6 +59,15 @@ function isQuote(char) {
 	return char === "\"" || char === "'";
 }
 
+/**
+ * Escape text to make it usable in a JavaScript string literal.
+ *
+ * @param {string} text
+ */
+function escapeText(text) {
+	return text.replace(textRE, (match) => escapeTextMap[match]);
+}
+
 /**
  * Scope an expression to use variables within the `data` object.
  *
@@ -304,7 +333,7 @@ export function lex(input) {
 					type: "tagOpen",
 					value: "text",
 					attributes: {
-						"": `"${text}"`
+						"": `"${escapeText(text)}"`
 					},
 					closed: true
 				});