/** * Simple sanitization. It is not intended to sanitize * malicious element values. * * character | escaped * < < * > > * ( ( * ) ) * # # * & & * " " * ' ' */ // used for body text var charsEscape = { '&': '&', '<': '<', '>': '>', "\u001F": "" }; var charsUnescape = { '&': '&', '#': '#', '<': '<', '>': '>', '(': '(', ')': ')', '"': '"', ''': "'", "": "\u001F" }; // used in attribute values var charsAttrEscape = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }; function escapeRegExp(string) { return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1"); } // sanitize body text exports.sanitize = function sanitize(value, reverse, attribute) { if (typeof value !== 'string') { return value; } var chars = reverse ? charsUnescape : (attribute ? charsAttrEscape : charsEscape); var keys = Object.keys(chars); keys.forEach(function(key) { value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]); }); return value; };