Add transformation function for html escaping values from

user-provided data sources

Signed-off-by: Andy Boughton <[email protected]>

Author: abought

NOTICE.md

@@ -0,0 +1,28 @@
+## Third-party code
+LocusZoom gratefully acknowledges the use of some third-party code, with required license information provided below.
+
+### Underscore.js (text helpers and utility functions)
+Copyright (c) 2009-2017 Jeremy Ashkenas, DocumentCloud and Investigative
+Reporters & Editors
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+

assets/js/app/Singletons.js

@@ -291,6 +291,36 @@ LocusZoom.TransformationFunctions.add("urlencode", function(str) {
     return encodeURIComponent(str);
 });
 
+/**
+ * HTML-escape user entered values for use in constructed HTML fragments
+ *
+ * For example, this filter can be used on tooltips with custom HTML display
+ * @function htmlescape
+ * @param {String} str HTML-escape the provided value
+ */
+LocusZoom.TransformationFunctions.add("htmlescape", function(str) {
+    if ( !str ) {
+        return "";
+    }
+    str = str + "";
+
+    return str.replace( /['"<>&`]/g, function( s ) {
+        switch ( s ) {
+        case "'":
+            return "&#039;";
+        case "\"":
+            return "&quot;";
+        case "<":
+            return "&lt;";
+        case ">":
+            return "&gt;";
+        case "&":
+            return "&amp;";
+        case "`":
+            return "&#x60;";
+        }
+    });
+});
 
 /**
  * Singleton for accessing/storing functions that will convert arbitrary data points to values in a given scale

test/Singletons.js

@@ -100,6 +100,15 @@ describe("LocusZoom Singletons", function(){
                 });
             });
         });
+
+        describe("htmlescape", function() {
+            it("should escape characters with special meaning in xml, and ignore others", function() {
+                assert.equal(
+                    LocusZoom.TransformationFunctions.get("htmlescape")("<script type=\"application/javascript\">alert('yo & ' + `I`)</script>"),
+                    "&lt;script type=&quot;application/javascript&quot;&gt;alert(&#039;yo &amp; &#039; + &#x60;I&#x60;)&lt;/script&gt;"
+                );
+            });
+        });
     });
 
     describe("Scale Functions", function() {