Mercurial > kallithea
changeset 7549:fa3e6eda9e7c stable
js: introduce an html_escape function
In analogy to (python) kallithea.lib.helpers.html_escape, introduce the
equivalent for use in JavaScript.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Mon, 11 Feb 2019 21:36:13 +0100 |
parents | ac7f2ae51504 |
children | 603f5f7c323d |
files | kallithea/public/js/base.js |
diffstat | 1 files changed, 24 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/public/js/base.js Mon Dec 03 19:19:07 2018 +0000 +++ b/kallithea/public/js/base.js Mon Feb 11 21:36:13 2019 +0100 @@ -8,6 +8,30 @@ } /** + * INJECT .html_escape function into String + * Usage: "unsafe string".html_escape() + * + * This is the Javascript equivalent of kallithea.lib.helpers.html_escape(). It + * will escape HTML characters to prevent XSS or other issues. It should be + * used in all cases where Javascript code is inserting potentially unsafe data + * into the document. + * + * For example: + * <script>confirm("boo")</script> + * is changed into: + * <script>confirm("boo")</script> + * + */ +String.prototype.html_escape = function() { + return this + .replace(/&/g,'&') + .replace(/</g,'<') + .replace(/>/g,'>') + .replace(/"/g, '"') + .replace(/'/g, '''); +} + +/** * INJECT .format function into String * Usage: "My name is {0} {1}".format("Johny","Bravo") * Return "My name is Johny Bravo"