feat: add escapeHtml function

This can be used to escape any special characters in a string with HTML before sending from the server back to the client. This is important to prevent a cross-site scripting attack.
2021-06-29 15:28:44 -07:00
parent faa896c12c
commit c505fc45a8
4 changed files with 67 additions and 2 deletions
--- a/src/node/util.ts
+++ b/src/node/util.ts
@ -508,3 +508,17 @@ export const isFile = async (path: string): Promise<boolean> => {
    return false
  }
 }
+
+/**
+ * Escapes any HTML string special characters, like &, <, >, ", and '.
+ *
+ * Source: https://stackoverflow.com/a/6234804/3015595
+ **/
+export function escapeHtml(unsafe: string): string {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;")
+}