Properly escape HTML when working with content editable elements.

danhper · May 29, 2016 · d68ce2c · danhper · May 29, 2016 · d68ce2c
1 parent 66a4a93
commit d68ce2c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/src/content-script-tools/custom-events/workflowy.js b/src/content-script-tools/custom-events/workflowy.js
@@ -1,9 +1,11 @@
+import string from 'ac-util/string';
+
 export default {
   url: new RegExp('https://workflowy\.com.*', 'i'),
   // override setvalue
   bind: function (window) {
     this.setValue = (value) => {
-      this.elem.innerHTML = value;
+      this.elem.innerHTML = string.htmlEscape(value);
     };
   }
 };
diff --git a/src/handlers/content-editable.js b/src/handlers/content-editable.js
@@ -1,4 +1,5 @@
 import BaseHandler from './base';
+import string from 'ac-util/string';
 
 class ContentEditableHandler extends BaseHandler {
   getValue() {
@@ -31,7 +32,7 @@ class ContentEditableHandler extends BaseHandler {
       if (v.trim().length === 0) {
         return '<br>';
       }
-      return '<div>' + v + '</div>';
+      return '<div>' + string.htmlEscape(v) + '</div>';
     }).join('');
     this.elem.innerHTML = htmlValue;
     super.setValue(value);

diff --git a/src/util/string.js b/src/util/string.js
@@ -4,5 +4,17 @@ export default {
       return s;
     }
     return s[0].toUpperCase() + s.slice(1);
+  },
+
+  htmlEscape: function (s) {
+    if (!s) {
+      return s;
+    }
+    return s
+      .replace(/&/g, '&amp;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;');
   }
 };