From 6e36b59a59d15916d3581c7a9dbad490cab4dcfb Mon Sep 17 00:00:00 2001 From: Chad Weider Date: Sat, 14 Jan 2012 14:46:15 -0800 Subject: [PATCH] All escaping functions replace HTML reserved characters. --- node/utils/ExportHtml.js | 5 +++-- static/js/ace2_common.js | 9 ++++++++- static/js/domline.js | 2 +- static/js/pad_utils.js | 9 ++++++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/node/utils/ExportHtml.js b/node/utils/ExportHtml.js index 46ed980a..ef85d51f 100644 --- a/node/utils/ExportHtml.js +++ b/node/utils/ExportHtml.js @@ -429,14 +429,15 @@ exports.getPadHTMLDocument = function (padId, revNum, noDocType, callback) function _escapeHTML(s) { - var re = /[&<>]/g; + var re = /[&"<>]/g; if (!re.MAP) { // persisted across function calls! re.MAP = { '&': '&', + '"': '"', '<': '<', - '>': '>', + '>': '>' }; } diff --git a/static/js/ace2_common.js b/static/js/ace2_common.js index 1246a16e..1e5c415c 100644 --- a/static/js/ace2_common.js +++ b/static/js/ace2_common.js @@ -142,7 +142,14 @@ function binarySearchInfinite(expectedLength, func) function htmlPrettyEscape(str) { - return str.replace(/&/g, '&').replace(//g, '>').replace(/\r?\n/g, '\\n'); + return str.replace(/[&"<>]/g, function (c) { + return { + '&': '&', + '"': '"', + '<': '<', + '>': '>' + }[c] || c; + }).replace(/\r?\n/g, '\\n'); } if (typeof exports !== "undefined") diff --git a/static/js/domline.js b/static/js/domline.js index 56f74a1c..b0fbcc8c 100644 --- a/static/js/domline.js +++ b/static/js/domline.js @@ -229,7 +229,7 @@ domline.escapeHTML = function(s) '&': '&', '<': '<', '>': '>', - '"': '"', + '"': '"', "'": ''' }; } diff --git a/static/js/pad_utils.js b/static/js/pad_utils.js index 76a16705..bd028485 100644 --- a/static/js/pad_utils.js +++ b/static/js/pad_utils.js @@ -23,7 +23,14 @@ var padutils = { escapeHtml: function(x) { - return String(x).replace(/\/g, '>'); + return String(x).replace(/[&"<>]/g, function (c) { + return { + '&': '&', + '"': '"', + '<': '<', + '>': '>' + }[c] || c; + }); }, uniqueId: function() {