-
Notifications
You must be signed in to change notification settings - Fork 13
/
sanitizer.js
87 lines (78 loc) · 2.26 KB
/
sanitizer.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
/* globals define, module */
/**
* A simple library to help you escape HTML using template strings.
*
* It's the counterpart to our eslint "no-unsafe-innerhtml" plugin that helps us
* avoid unsafe coding practices.
* A full write-up of the Hows and Whys are documented
* for developers at
* https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation
* with additional background information and design docs at
* https://wiki.mozilla.org/User:Fbraun/Gaia/SafeinnerHTMLRoadmap
*
*/
(function (root, factory) {
'use strict';
if (typeof define === 'function' && define.amd) {
define(factory);
} else if (typeof exports === 'object') {
module.exports = factory();
} else {
root.Sanitizer = factory();
}
}(this, function () {
'use strict';
var Sanitizer = {
_entity: /[&<>"'/]/g,
_entities: {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
'\'': ''',
'/': '/'
},
getEntity: function (s) {
return Sanitizer._entities[s];
},
/**
* Escapes HTML for all values in a tagged template string.
*/
escapeHTML: function (strings, ...values) {
var result = '';
for (var i = 0; i < strings.length; i++) {
result += strings[i];
if (i < values.length) {
result += String(values[i]).replace(Sanitizer._entity,
Sanitizer.getEntity);
}
}
return result;
},
/**
* Escapes HTML and returns a wrapped object to be used during DOM insertion
*/
createSafeHTML: function (strings, ...values) {
var escaped = Sanitizer.escapeHTML(strings, ...values);
return {
__html: escaped,
toString: function () {
return '[object WrappedHTMLObject]';
},
info: 'This is a wrapped HTML object. See https://developer.mozilla.or'+
'g/en-US/Firefox_OS/Security/Security_Automation for more.'
};
},
/**
* Unwrap safe HTML created by createSafeHTML or a custom replacement that
* underwent security review.
*/
unwrapSafeHTML: function (...htmlObjects) {
var markupList = htmlObjects.map(function(obj) {
return obj.__html;
});
return markupList.join('');
}
};
return Sanitizer;
}));