# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1549917373 -3600
# Node ID fa3e6eda9e7cc352b5500648fe3833e62f77b412
# Parent  ac7f2ae515042e445af1924cb6a018b49ea48ce0
js: introduce an html_escape function

In analogy to (python) kallithea.lib.helpers.html_escape, introduce the
equivalent for use in JavaScript.

diff -r ac7f2ae51504 -r fa3e6eda9e7c kallithea/public/js/base.js
--- a/kallithea/public/js/base.js	Mon Dec 03 19:19:07 2018 +0000
+++ b/kallithea/public/js/base.js	Mon Feb 11 21:36:13 2019 +0100
@@ -8,6 +8,30 @@
 }
 
 /**
+ * INJECT .html_escape function into String
+ * Usage: "unsafe string".html_escape()
+ *
+ * This is the Javascript equivalent of kallithea.lib.helpers.html_escape(). It
+ * will escape HTML characters to prevent XSS or other issues.  It should be
+ * used in all cases where Javascript code is inserting potentially unsafe data
+ * into the document.
+ *
+ * For example:
+ *      <script>confirm("boo")</script>
+ * is changed into:
+ *      &lt;script&gt;confirm(&quot;boo&quot;)&lt;/script&gt;
+ *
+ */
+String.prototype.html_escape = function() {
+    return this
+        .replace(/&/g,'&amp;')
+        .replace(/</g,'&lt;')
+        .replace(/>/g,'&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#039;');
+}
+
+/**
  * INJECT .format function into String
  * Usage: "My name is {0} {1}".format("Johny","Bravo")
  * Return "My name is Johny Bravo"