discourse/app/assets/javascripts/discourse-common/addon/lib/escape.js

const ESCAPE_REPLACEMENTS = {
  "&": "&amp;",
  "<": "&lt;",
  ">": "&gt;",
  '"': "&quot;",
  "'": "&#x27;",
  "`": "&#x60;",
};
const BAD_CHARS = /[&<>"'`]/g;
const POSSIBLE_CHARS = /[&<>"'`]/;

function escapeChar(chr) {
  return ESCAPE_REPLACEMENTS[chr];
}

export default function escape(string) {
  if (string === null) {
    return "";
  } else if (!string) {
    return string + "";
  }

  // Force a string conversion as this will be done by the append regardless and
  // the regex test will do this transparently behind the scenes, causing issues if
  // an object's to string has escaped characters in it.
  string = "" + string;

  if (!POSSIBLE_CHARS.test(string)) {
    return string;
  }
  return string.replace(BAD_CHARS, escapeChar);
}
FIX: Escape Font Awesome icons (#12421) This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS. 2021-03-17 21:11:40 +08:00			`const ESCAPE_REPLACEMENTS = {`
			`"&": "&",`
			`"<": "<",`
			`">": ">",`
			`'"': """,`
			`"'": "'",`
			"`": "`",
			`};`
			const BAD_CHARS = /[&<>"'`]/g;
			const POSSIBLE_CHARS = /[&<>"'`]/;

			`function escapeChar(chr) {`
			`return ESCAPE_REPLACEMENTS[chr];`
			`}`

			`export default function escape(string) {`
			`if (string === null) {`
			`return "";`
			`} else if (!string) {`
			`return string + "";`
			`}`

			`// Force a string conversion as this will be done by the append regardless and`
			`// the regex test will do this transparently behind the scenes, causing issues if`
			`// an object's to string has escaped characters in it.`
			`string = "" + string;`

			`if (!POSSIBLE_CHARS.test(string)) {`
			`return string;`
			`}`
			`return string.replace(BAD_CHARS, escapeChar);`
			`}`