fix: add safe filter

learosema · learosema · commit e01d0f17cb6e · 2024-09-30T17:52:50.000+02:00
diff --git a/demo/_layouts/base.html b/demo/_layouts/base.html
@@ -9,7 +9,7 @@
 <body>
   <html-include src="header.html"/>
   <main>
-    {{ content }}
+    {{ content | safe }}
   </main>
   <html-include src="footer.html"/>  
 </body>
diff --git a/src/transforms/template-data.js b/src/transforms/template-data.js
@@ -8,6 +8,14 @@ const TEMPLATE_REGEX = /\{\{\s*([\w\.\[\]]+)(?:\((.*)\))?(?:\s*\|\s([a-zA-Z*]\w*
 const JSON_PATH_REGEX = /^[a-zA-Z_]\w*((?:\.\w+)|(?:\[\d+\]))*$/
 const JSON_PATH_TOKEN = /(^[a-zA-Z_]\w*)|(\.[a-zA-Z_]\w*)|(\[\d+\])/g
 
+function mergeMaps(map1, map2) {
+  return new Map([...map1, ...map2]);
+}
+
+function htmlEscape(input) {
+  return input?.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+
 /**
  * Poor girl's jsonpath
  * 
@@ -59,7 +67,11 @@ export function parseArguments(args, data) {
  * @returns {(data: any, filters: Map<string, function>) => string} a function that takes a data object and returns the processed template
  */
 export function template(str) {
-  return (data, filters) => {
+  const defaultFilters = new Map();
+  let isSafe = false;
+  defaultFilters.set('safe', (input) => { isSafe = true; return input; })
+  return (data, providedFilters) => {
+    const filters = mergeMaps(defaultFilters || new Map(), providedFilters || new Map())
     return str.replace(TEMPLATE_REGEX, (_, expr, params, filter, filterParams) => {
       let result = dataPath(expr)(data);
       const args = parseArguments(params, data);
@@ -73,7 +85,7 @@ export function template(str) {
         const filterArgs = parseArguments(filterParams, data);
         result = filters.get(filter)(result, ...filterArgs);
       }
-      return result;
+      return isSafe ? result : htmlEscape(result);
     });
   }
 }
@@ -123,11 +135,12 @@ export async function handleTemplateFile(config, data, inputFile) {
     const l = await handleTemplateFile(config, 
       {...fileData, content: fileContent, layout: null}, layoutFilePath);
     if (l) {
-      fileContent = l.content;;
+      fileContent = l.content;
     } else {
       throw new Error('Layout not found:' + layoutFilePath);
     }
   }
 
   return {content: fileContent, filename: outputFile};
 }
+
