mirror of
https://github.com/discourse/discourse.git
synced 2024-12-01 17:23:44 +08:00
d56b2e85aa
This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS.
33 lines
754 B
JavaScript
33 lines
754 B
JavaScript
const ESCAPE_REPLACEMENTS = {
|
|
"&": "&",
|
|
"<": "<",
|
|
">": ">",
|
|
'"': """,
|
|
"'": "'",
|
|
"`": "`",
|
|
};
|
|
const BAD_CHARS = /[&<>"'`]/g;
|
|
const POSSIBLE_CHARS = /[&<>"'`]/;
|
|
|
|
function escapeChar(chr) {
|
|
return ESCAPE_REPLACEMENTS[chr];
|
|
}
|
|
|
|
export default function escape(string) {
|
|
if (string === null) {
|
|
return "";
|
|
} else if (!string) {
|
|
return string + "";
|
|
}
|
|
|
|
// Force a string conversion as this will be done by the append regardless and
|
|
// the regex test will do this transparently behind the scenes, causing issues if
|
|
// an object's to string has escaped characters in it.
|
|
string = "" + string;
|
|
|
|
if (!POSSIBLE_CHARS.test(string)) {
|
|
return string;
|
|
}
|
|
return string.replace(BAD_CHARS, escapeChar);
|
|
}
|