XML entities aren't escaped #3

Merged
merged 1 commit into from Jan 10, 2013
Jump to file
+11 −2
Split
View
@@ -323,15 +323,24 @@ module.exports = (function() {
level--;
}
+ var xmlEncode = function(text) {
+ return String(text)
+ .replace(/&/g, '&')
+ .replace(/\"/g, '"')
+ .replace(/\'/g, ''')
+ .replace(/</g, '&lt;')
+ .replace(/>/g, '&gt;')
+ }
+
var toAttributes = function(obj) {
var string = "";
- for (key in obj) { string += " " + key + "=" + "\"" + obj[key] + "\"" }
+ for (key in obj) { string += " " + key + "=" + "\"" + xmlEncode(obj[key]) + "\"" }
return string;
}
var commonElement = function(verb) {
return function(str, attributes) {
- append("<" + verb + toAttributes(attributes) + ">" + str + "</" + verb + ">");
+ append("<" + verb + toAttributes(attributes) + ">" + xmlEncode(str) + "</" + verb + ">");
}
}