/**
* Simple sanitization. It is not intended to sanitize
* malicious element values.
*
* character | escaped
* < <
* > >
* ( (
* ) )
* # #
* & &
* " "
* ' '
*/
// used for body text
var charsEscape = {
'&': '&',
'<': '<',
'>': '>'
};
var charsUnescape = {
'&': '&',
'#': '#',
'<': '<',
'>': '>',
'(': '(',
')': ')',
'"': '"',
''': "'",
"": "\u001F"
};
// used in attribute values
var charsAttrEscape = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
};
function escapeRegExp(string) {
return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
}
// sanitize body text
exports.sanitize = function sanitize(value, reverse, attribute) {
if (typeof value !== 'string') {
return value;
}
var chars = reverse ? charsUnescape : (attribute ? charsAttrEscape : charsEscape);
var keys = Object.keys(chars);
keys.forEach(function (key) {
value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
});
return value;
};
