encoding.html: optimize escape performance (#19264)

vlang · Sep 3, 2023 · 61b2199 · 61b2199
1 parent ed6626d
commit 61b2199
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/vlib/encoding/html/escape.v b/vlib/encoding/html/escape.v
@@ -5,15 +5,20 @@ pub struct EscapeConfig {
 	quote bool = true
 }
 
+const (
+	html_replacement_table       = ['&', '&amp;', '<', '&lt;', '>', '&gt;']
+	html_quote_replacement_table = ['"', '&#34;', "'", '&#39;'] // `'&#34;'` is shorter than `'&quot;'`
+)
+
 // escape converts special characters in the input, specifically "<", ">", and "&"
 // to HTML-safe sequences. If `quote` is set to true (which is default), quotes in
 // HTML will also be translated. Both double and single quotes will be affected.
 // **Note:** escape() supports funky accents by doing nothing about them. V's UTF-8
 // support through `string` is robust enough to deal with these cases.
 pub fn escape(input string, config EscapeConfig) string {
-	tag_free_input := input.replace_each(['&', '&amp;', '<', '&lt;', '>', '&gt;'])
+	tag_free_input := input.replace_each(html.html_replacement_table)
 	return if config.quote {
-		tag_free_input.replace_each(['"', '&quot;', "'", '&#x27;'])
+		tag_free_input.replace_each(html.html_quote_replacement_table)
 	} else {
 		tag_free_input
 	}

diff --git a/vlib/encoding/html/escape_test.v b/vlib/encoding/html/escape_test.v
@@ -5,15 +5,15 @@ fn test_escape_html() {
 	assert html.escape('No change') == 'No change'
 	assert html.escape('<b>Bold text</b>') == '&lt;b&gt;Bold text&lt;/b&gt;'
 	assert html.escape('<img />') == '&lt;img /&gt;'
-	assert html.escape("' onmouseover='alert(1)'") == '&#x27; onmouseover=&#x27;alert(1)&#x27;'
-	assert html.escape("<a href='http://www.example.com'>link</a>") == '&lt;a href=&#x27;http://www.example.com&#x27;&gt;link&lt;/a&gt;'
-	assert html.escape("<script>alert('hello');</script>") == '&lt;script&gt;alert(&#x27;hello&#x27;);&lt;/script&gt;'
+	assert html.escape("' onmouseover='alert(1)'") == '&#39; onmouseover=&#39;alert(1)&#39;'
+	assert html.escape("<a href='http://www.example.com'>link</a>") == '&lt;a href=&#39;http://www.example.com&#39;&gt;link&lt;/a&gt;'
+	assert html.escape("<script>alert('hello');</script>") == '&lt;script&gt;alert(&#39;hello&#39;);&lt;/script&gt;'
 	// Cases obtained from:
 	// https://github.com/apache/commons-lang/blob/master/src/test/java/org/apache/commons/lang3/StringEscapeUtilsTest.java
 	assert html.escape('plain text') == 'plain text'
 	assert html.escape('') == ''
 	assert html.escape('bread & butter') == 'bread &amp; butter'
-	assert html.escape('"bread" & butter') == '&quot;bread&quot; &amp; butter'
+	assert html.escape('"bread" & butter') == '&#34;bread&#34; &amp; butter'
 	assert html.escape('greater than >') == 'greater than &gt;'
 	assert html.escape('< less than') == '&lt; less than'
 	// Leave accents as-is