core :: Text :: html_escape
<
, >
, &
, "
, '
and /
as HTML/XML entity references.assert "a&b-<>\"x\"/'".html_escape == "a&b-<>"x"/'"
# Escape the characters `<`, `>`, `&`, `"`, `'` and `/` as HTML/XML entity references.
#
# ~~~
# assert "a&b-<>\"x\"/'".html_escape == "a&b-<>"x"/'"
# ~~~
#
# SEE: <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content>
fun html_escape: String
do
var buf: nullable Buffer = null
for i in [0..length[ do
var c = chars[i]
var sub = null
if c == '&' then
sub = "&"
else if c == '<' then
sub = "<"
else if c == '>' then
sub = ">"
else if c == '"' then
sub = """
else if c == '\'' then
sub = "'"
else if c == '/' then
sub = "/"
else
if buf != null then buf.add c
continue
end
if buf == null then
buf = new Buffer
for j in [0..i[ do buf.add chars[j]
end
buf.append sub
end
if buf == null then return self.to_s
return buf.to_s
end
lib/core/text/abstract_text.nit:984,2--1023,4
redef fun html_escape
do
var extra = chars_to_html_escape
if extra == 0 then return to_s
var its = _items
var max = last_byte
var pos = first_byte
var nlen = extra + _byte_length
var nits = new CString(nlen)
var outpos = 0
while pos <= max do
var c = its[pos]
# Special codes:
# Some HTML characters are used as meta-data, they need
# to be replaced by an HTML-Escaped equivalent
if c == u'<' then
nits[outpos] = u'&'
nits[outpos + 1] = u'l'
nits[outpos + 2] = u't'
nits[outpos + 3] = u';'
outpos += 4
else if c == u'>' then
nits[outpos] = u'&'
nits[outpos + 1] = u'g'
nits[outpos + 2] = u't'
nits[outpos + 3] = u';'
outpos += 4
else if c == u'&' then
nits[outpos] = u'&'
nits[outpos + 1] = u'a'
nits[outpos + 2] = u'm'
nits[outpos + 3] = u'p'
nits[outpos + 4] = u';'
outpos += 5
else if c == u'"' then
nits[outpos] = u'&'
nits[outpos + 1] = u'#'
nits[outpos + 2] = u'3'
nits[outpos + 3] = u'4'
nits[outpos + 4] = u';'
outpos += 5
else if c == u'\'' then
nits[outpos] = u'&'
nits[outpos + 1] = u'#'
nits[outpos + 2] = u'3'
nits[outpos + 3] = u'9'
nits[outpos + 4] = u';'
outpos += 5
else if c == u'/' then
nits[outpos] = u'&'
nits[outpos + 1] = u'#'
nits[outpos + 2] = u'4'
nits[outpos + 3] = u'7'
nits[outpos + 4] = u';'
outpos += 5
else
nits[outpos] = c
outpos += 1
end
pos += 1
end
var s = new FlatString.with_infos(nits, nlen, 0)
return s
end
lib/core/text/flat.nit:134,2--197,4