feat: escape = (#24)

gurgunday · web-flow · commit 4a5cf95c882c · 2024-07-30T19:08:59.000+03:00
* escape `=`

* update README
diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ const username = '<img src="https://example.com/pwned.png">';
 const greeting = html`<h1>Hello, ${username}</h1>`;
 
 console.log(greeting);
-// Output: <h1>Hello, &#60;img src=&#34;https://example.com/pwned.png&#34;&#62;</h1>
+// Output: <h1>Hello, &#60;img src&#61;&#34;https://example.com/pwned.png&#34;&#62;</h1>
 ```
 
 To bypass escaping:
diff --git a/src/html.js b/src/html.js
@@ -1,4 +1,4 @@
-const escapeRegExp = /["&'<>`]/;
+const escapeRegExp = /["&'<=>`]/;
 
 const escapeFunction = (string) => {
   let escaped = "";
@@ -22,6 +22,10 @@ const escapeFunction = (string) => {
         escaped += string.slice(start, end) + "&#60;";
         start = end + 1;
         continue;
+      case 61: // =
+        escaped += string.slice(start, end) + "&#61;";
+        start = end + 1;
+        continue;
       case 62: // >
         escaped += string.slice(start, end) + "&#62;";
         start = end + 1;
diff --git a/test/index.js b/test/index.js
@@ -70,6 +70,14 @@ test("renders unsafe content /2", () => {
   );
 });
 
+test("renders unsafe content /3", () => {
+  // prettier-ignore
+  assert.strictEqual(
+    html`<img src="https://picsum.photos/200/300" alt=${"altText onload=alert(String.fromCharCode(112,119,110,101,100))"} />`,
+    `<img src="https://picsum.photos/200/300" alt=altText onload&#61;alert(String.fromCharCode(112,119,110,101,100)) />`,
+  );
+});
+
 test("renders arrays", () => {
   assert.strictEqual(
     html`<p>${[descriptionSafe, descriptionUnsafe]}</p>`,
