return buf.to_s
end
- # Escape the four characters `<`, `>`, `&`, and `"` with their html counterpart
+ # Escape the characters `<`, `>`, `&`, `"`, `'` and `/` as HTML/XML entity references.
#
- # assert "a&b->\"x\"".html_escape == "a&b->"x""
+ # assert "a&b-<>\"x\"/'".html_escape == "a&b-<>"x"/'"
+ #
+ # SEE: <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content>
fun html_escape: SELFTYPE
do
var buf = new FlatBuffer
else if c == '>' then
buf.append ">"
else if c == '"' then
- buf.append """
+ buf.append """
+ else if c == '\'' then
+ buf.append "'"
+ else if c == '/' then
+ buf.append "/"
else buf.add c
end