Skip to content

Commit

Permalink
Use safer XML escaping
Browse files Browse the repository at this point in the history
  • Loading branch information
Jan Krems authored and boneskull committed Sep 11, 2017
1 parent 72622ab commit 45c870d
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 13 deletions.
2 changes: 1 addition & 1 deletion lib/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ exports.inherits = require('util').inherits;
* @return {string}
*/
exports.escape = function (html) {
return he.encode(String(html), { useNamedReferences: true });
return he.encode(String(html), { useNamedReferences: false });
};

/**
Expand Down
12 changes: 6 additions & 6 deletions test/reporters/doc.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ describe('Doc reporter', function () {
root: false,
title: unescapedTitle
};
expectedTitle = '<div>' + expectedTitle + '</div>';
expectedTitle = '<div>' + expectedTitle + '</div>';
runner.on = function (event, callback) {
if (event === 'suite') {
callback(suite);
Expand Down Expand Up @@ -142,8 +142,8 @@ describe('Doc reporter', function () {
test.title = unescapedTitle;
test.body = unescapedBody;

var expectedEscapedTitle = '<div>' + expectedTitle + '</div>';
var expectedEscapedBody = '<div>' + expectedBody + '</div>';
var expectedEscapedTitle = '<div>' + expectedTitle + '</div>';
var expectedEscapedBody = '<div>' + expectedBody + '</div>';
runner.on = function (event, callback) {
if (event === 'pass') {
callback(test);
Expand Down Expand Up @@ -192,9 +192,9 @@ describe('Doc reporter', function () {
test.title = unescapedTitle;
test.body = unescapedBody;

var expectedEscapedTitle = '<div>' + expectedTitle + '</div>';
var expectedEscapedBody = '<div>' + expectedBody + '</div>';
var expectedEscapedError = '<div>' + expectedError + '</div>';
var expectedEscapedTitle = '<div>' + expectedTitle + '</div>';
var expectedEscapedBody = '<div>' + expectedBody + '</div>';
var expectedEscapedError = '<div>' + expectedError + '</div>';
runner.on = function (event, callback) {
if (event === 'fail') {
callback(test, unescapedError);
Expand Down
12 changes: 6 additions & 6 deletions test/unit/utils.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -627,13 +627,13 @@ describe('lib/utils', function () {

describe('escape', function () {
it('replaces the usual xml suspects', function () {
expect(utils.escape('<a<bc<d<')).to.be('&lt;a&lt;bc&lt;d&lt;');
expect(utils.escape('>a>bc>d>')).to.be('&gt;a&gt;bc&gt;d&gt;');
expect(utils.escape('"a"bc"d"')).to.be('&quot;a&quot;bc&quot;d&quot;');
expect(utils.escape('<>"&')).to.be('&lt;&gt;&quot;&amp;');
expect(utils.escape('<a<bc<d<')).to.be('&#x3C;a&#x3C;bc&#x3C;d&#x3C;');
expect(utils.escape('>a>bc>d>')).to.be('&#x3E;a&#x3E;bc&#x3E;d&#x3E;');
expect(utils.escape('"a"bc"d"')).to.be('&#x22;a&#x22;bc&#x22;d&#x22;');
expect(utils.escape('<>"&')).to.be('&#x3C;&#x3E;&#x22;&#x26;');

expect(utils.escape('&a&bc&d&')).to.be('&amp;a&amp;bc&amp;d&amp;');
expect(utils.escape('&amp;&lt;')).to.be('&amp;amp;&amp;lt;');
expect(utils.escape('&a&bc&d&')).to.be('&#x26;a&#x26;bc&#x26;d&#x26;');
expect(utils.escape('&amp;&lt;')).to.be('&#x26;amp;&#x26;lt;');
});

it('replaces invalid xml characters', function () {
Expand Down

0 comments on commit 45c870d

Please sign in to comment.