MCPcopy
hub / github.com/npmx-dev/npmx.dev / stripAndEscapeHtml

Function stripAndEscapeHtml

app/composables/useMarkdown.ts:45–72  ·  view source on GitHub ↗
(text: string)

Source from the content-addressed store, hash-verified

43
44// Strip HTML tags and escape remaining HTML to prevent XSS
45function stripAndEscapeHtml(text: string): string {
46 // First decode any HTML entities in the input
47 let stripped = decodeHtmlEntities(text)
48
49 // Then strip markdown image badges
50 stripped = stripMarkdownImages(stripped)
51
52 // Strip actual HTML tags (keep their text content), but leave tags inside backtick spans
53 // The alternation matches a backtick span first — if that branch wins the match is kept as-is
54 stripped = stripped.replace(
55 /(`[^`]*`)|<\/?[a-z][^>]*>/gi,
56 (match, codeSpan: string | undefined) => codeSpan ?? '',
57 )
58
59 // Strip HTML comments: <!-- ... --> (including unclosed comments from truncation)
60 stripped = stripped.replace(
61 /(`[^`]*`)|<!--[\s\S]*?(-->|$)/g,
62 (match, codeSpan: string | undefined) => codeSpan ?? '',
63 )
64
65 // Then escape any remaining HTML entities
66 return stripped
67 .replace(/&/g, '&amp;')
68 .replace(/</g, '&lt;')
69 .replace(/>/g, '&gt;')
70 .replace(/"/g, '&quot;')
71 .replace(/'/g, '&#039;')
72}
73
74// Parse simple inline markdown to HTML
75function parseMarkdown({ text, plain }: UseMarkdownOptions): string {

Callers 1

parseMarkdownFunction · 0.85

Calls 2

decodeHtmlEntitiesFunction · 0.90
stripMarkdownImagesFunction · 0.85

Tested by

no test coverage detected