HTML-escape closing '>' as well as opening -- for a few edge cases

eta-dev · Apr 27, 2020 · 99aedf2 · 99aedf2
1 parent ac67270
commit 99aedf2
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 14 deletions.
diff --git a/dist/browser/eta.dev.js b/dist/browser/eta.dev.js
diff --git a/dist/browser/eta.dev.js.map b/dist/browser/eta.dev.js.map
diff --git a/dist/browser/eta.min.js b/dist/browser/eta.min.js
diff --git a/dist/browser/eta.min.js.map b/dist/browser/eta.min.js.map
diff --git a/dist/eta.cjs.js b/dist/eta.cjs.js
diff --git a/dist/eta.cjs.js.map b/dist/eta.cjs.js.map
diff --git a/dist/eta.es.js b/dist/eta.es.js
diff --git a/dist/eta.es.js.map b/dist/eta.es.js.map
diff --git a/src/utils.ts b/src/utils.ts
@@ -8,6 +8,7 @@ import { EtaConfig } from './config'
 interface EscapeMap {
   '&': '&amp;'
   '<': '&lt;'
+  '>': '&gt;'
   '"': '&quot;'
   "'": '&#39;'
   [index: string]: string
@@ -98,6 +99,7 @@ function trimWS (
 var escMap: EscapeMap = {
   '&': '&amp;',
   '<': '&lt;',
+  '>': '&gt;',
   '"': '&quot;',
   "'": '&#39;'
 }
@@ -109,8 +111,8 @@ function replaceChar (s: string): string {
 function XMLEscape (str: any) {
   // To deal with XSS. Based on Escape implementations of Mustache.JS and Marko, then customized.
   var newStr = String(str)
-  if (/[&<"']/.test(newStr)) {
-    return newStr.replace(/[&<"']/g, replaceChar)
+  if (/[&<>"']/.test(newStr)) {
+    return newStr.replace(/[&<>"']/g, replaceChar)
   } else {
     return newStr
   }

diff --git a/test/utils.spec.ts b/test/utils.spec.ts
@@ -57,6 +57,6 @@ describe('Whitespace trim', () => {
 
 describe('HTML Escape', () => {
   it('properly escapes HTML characters', () => {
-    expect(XMLEscape('<p>HTML</p>')).toBe('&lt;p>HTML&lt;/p>')
+    expect(XMLEscape('<p>HTML</p>')).toBe('&lt;p&gt;HTML&lt;/p&gt;')
   })
 })