Added modules/Escaping with the first useful methods.

query/VirtualElement now using the escaping.
astoilkov · Sep 25, 2016 · cc1e93f · cc1e93f
1 parent 3102494
commit cc1e93f
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/src/modules/Escape.js b/src/modules/Escape.js
@@ -0,0 +1,43 @@
+define([],
+function () {
+    var htmlEntityMap = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        '\'': '&#x27;',
+        '/': '&x2F;'
+    };
+
+    var htmlEscapeRegEx = (function () {
+        var entities = [];
+        for (var entity in htmlEntityMap) {
+            entities.push(entity);
+        }
+        return new RegExp('(' + entities.join('|') + ')', 'g');
+    })();
+
+    var Escape = {
+        // moved from modules/escapeRegEx
+        forRegEx: function escapeRegEx(string) {
+            return string.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, '\\$&');
+        },
+        forHTML: function (value) {
+            if (!blocks.isString(value)) {
+                return value;
+            }
+            return value.replace(htmlEscapeRegEx, function (entity) {
+                return htmlEntityMap[entity];
+            });
+        },
+        // This is only valid because jsblocks forces (inserts itself) double quotes for attributes
+        // don't use this in other cases
+        forHTMLAttributes: function (value) {
+            if (blocks.isString(value)) {
+                return value.replace(/"/g, '&quot;');
+            }
+            return value;
+        }
+    };
+    return Escape;
+});
diff --git a/src/query/VirtualElement.js b/src/query/VirtualElement.js
@@ -2,6 +2,7 @@ define([
   '../core',
   '../var/hasOwn',
   '../modules/keys',
+  '../modules/Escape',
   './var/virtualElementIdentity',
   './var/classAttr',
   './var/dataIdAttr',
@@ -13,7 +14,7 @@ define([
   './dom',
   './Expression',
   './ElementsData'
-], function (blocks, hasOwn, keys, virtualElementIdentity, classAttr, dataIdAttr, dataQueryAttr, getClassIndex, setClass, escapeValue, createFragment, dom,
+], function (blocks, hasOwn, keys, Escape, virtualElementIdentity, classAttr, dataIdAttr, dataQueryAttr, getClassIndex, setClass, escapeValue, createFragment, dom,
              Expression, ElementsData) {
 
   function VirtualElement(tagName) {
@@ -85,7 +86,7 @@ define([
     text: function (text) {
       if (arguments.length > 0) {
         if (text != null) {
-          text = escapeValue(text);
+          text = Escape.forHTML(text);
           this.html(text);
         }
         return this;
@@ -618,7 +619,7 @@ define([
         if (value === '') {
           html += ' ' + key;
         } else if (value != null) {
-          html += ' ' + key + '="' + value + '"';
+          html += ' ' + key + '="' + Escape.forHTMLAttributes(value) + '"';
         }
       }