| 548 | // Also escape single quotes in case of an XSS attack. |
| 549 | // Return the escaped string. |
| 550 | function autoEscapeStr(rest) { |
| 551 | let escaped = ''; |
| 552 | let lastEscapedPos = 0; |
| 553 | for (let i = 0; i < rest.length; ++i) { |
| 554 | // `escaped` contains substring up to the last escaped character. |
| 555 | const escapedChar = escapedCodes[rest.charCodeAt(i)]; |
| 556 | if (escapedChar) { |
| 557 | // Concat if there are ordinary characters in the middle. |
| 558 | if (i > lastEscapedPos) |
| 559 | escaped += rest.slice(lastEscapedPos, i); |
| 560 | escaped += escapedChar; |
| 561 | lastEscapedPos = i + 1; |
| 562 | } |
| 563 | } |
| 564 | if (lastEscapedPos === 0) // Nothing has been escaped. |
| 565 | return rest; |
| 566 | |
| 567 | // There are ordinary characters at the end. |
| 568 | if (lastEscapedPos < rest.length) |
| 569 | escaped += rest.slice(lastEscapedPos); |
| 570 | |
| 571 | return escaped; |
| 572 | } |
| 573 | |
| 574 | // Format a parsed object into a url string |
| 575 | function urlFormat(urlObject, options) { |