Make interpolate escape HTML in variables - Fix #78

Polyconseil · Oct 17, 2018 · 44e409d · 44e409d
1 parent f53d817
commit 44e409d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/src/interpolate.js b/src/interpolate.js
@@ -44,6 +44,14 @@ let interpolate = function (msgid, context = {}) {
     const expression = token.trim()
     let evaluated
 
+    let escapeHtmlMap = {
+      '&': '&amp;',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      '\'': '&#039;',
+    }
+
     // Avoid eval() by splitting `expression` and looping through its different properties if any, see #55.
     function getProps (obj, expression) {
       const arr = expression.split(EVALUATION_RE).filter(x => x)
@@ -69,6 +77,9 @@ let interpolate = function (msgid, context = {}) {
         }
       }
       return evaluated
+        .toString()
+        // Escape HTML, see #78.
+        .replace(/[&<>"']/g, function (m) { return escapeHtmlMap[m] })
     }
 
     return evalInContext.call(context, expression)

diff --git a/test/specs/interpolate.spec.js b/test/specs/interpolate.spec.js
@@ -29,6 +29,13 @@ describe('Interpolate tests', () => {
     expect(interpolated).to.equal('Foo bar baz')
   })
 
+  it('with HTML in var (should be escaped)', () => {
+    let msgid = 'Foo %{ placeholder } baz'
+    let context = { placeholder: '<p>bar</p>' }
+    let interpolated = interpolate(msgid, context)
+    expect(interpolated).to.equal('Foo &lt;p&gt;bar&lt;/p&gt; baz')
+  })
+
   it('with multiple spaces in the placeholder', () => {
     let msgid = 'Foo %{              placeholder                              } baz'
     let context = { placeholder: 'bar' }