Test escaping HTML fix #50

mthenw · Sep 16, 2015 · 054eb70 · 054eb70
1 parent 3879a6e
commit 054eb70
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 13 deletions.
diff --git a/lib/web/assets/app.js b/lib/web/assets/app.js
@@ -182,18 +182,9 @@ window.App = (function (window, document) {
      * @private
      */
     var _escape = function (text) {
-        var entityMap = {
-            '&': '&amp;',
-            '<': '&lt;',
-            '>': '&gt;',
-            '"': '&quot;',
-            '\'': '&#39;',
-            '/': '&#x2F;'
-        };
-
-        return String(text).replace(/[&<>"'\/]/g, function (s) {
-            return entityMap[s];
-        });
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(text));
+        return div.innerHTML;
     };
 
     return {

diff --git a/package.json b/package.json
@@ -19,7 +19,7 @@
     "jscs": "^1.6.2",
     "jsdom": "^3.1.0",
     "jshint": "~2.3.0",
-    "mocha": "~2.2.0",
+    "mocha": "~2.3.2",
     "should": "~3.3.2",
     "sinon": "~1.7.3",
     "supertest": "~0.8.1",

diff --git a/test/app.js b/test/app.js
@@ -98,6 +98,13 @@ describe('browser application', function () {
         );
     });
 
+    it('should escape HTML', function () {
+        io.emit('line', '<a/>');
+
+        var line = window.document.querySelector('.line');
+        line.innerHTML.should.equal('<p class="inner-line">&lt;a/&gt;</p>');
+    });
+
     function initApp() {
         window.App.init({
             socket: io,