* Escapes HTML tags in a string to stop them being rendered. * https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet * * Null bytes are a special case and are converted to a character from the Unicode * Private Use Area, which CyberChef will display as
(str)
| 848 | * Utils.escapeHtml("A <script> tag"); |
| 849 | */ |
| 850 | static escapeHtml(str) { |
| 851 | const HTML_CHARS = { |
| 852 | "&": "&", |
| 853 | "<": "<", |
| 854 | ">": ">", |
| 855 | '"': """, |
| 856 | "'": "'", // ' not recommended because it's not in the HTML spec |
| 857 | "`": "`", |
| 858 | "\u0000": "\ue000" |
| 859 | }; |
| 860 | |
| 861 | return str ? str.replace(/[&<>"'`\u0000]/g, function (match) { |
| 862 | return HTML_CHARS[match]; |
| 863 | }) : str; |
| 864 | } |
| 865 | |
| 866 | |
| 867 | /** |
no outgoing calls
no test coverage detected