@wordpress/escape-html - npm Package Compare versions

Comparing version 1.1.0 to 1.2.0

build-module/index.js

 /**
+ * Internal dependencies
+ */
+import __unstableEscapeGreaterThan from './escape-greater';
+/**
  * Regular expression matching invalid attribute names.
@@ -12,2 +16,3 @@ *
  */
+
 var REGEXP_INVALID_ATTRIBUTE_NAME = /[\u007F-\u009F "'>/="\uFDD0-\uFDEF]/;
@@ -62,2 +67,10 @@ /**
  *
+ * Note we also escape the greater than symbol, as this is used by wptexturize to
+ * split HTML strings. This is a WordPress specific fix
+ *
+ * Note that if a resolution for Trac#45387 comes to fruition, it is no longer
+ * necessary for `__unstableEscapeGreaterThan` to be used.
+ *
+ * See: https://core.trac.wordpress.org/ticket/45387
+ *
  * @param {string} value Attribute value.
@@ -69,3 +82,3 @@ *
 export function escapeAttribute(value) {
-  return escapeQuotationMark(escapeAmpersand(value));
+  return __unstableEscapeGreaterThan(escapeQuotationMark(escapeAmpersand(value)));
 }
@@ -72,0 +85,0 @@ /**

build/index.js

 "use strict";
 
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+
 Object.defineProperty(exports, "__esModule", {
@@ -13,3 +15,9 @@ value: true
 
+var _escapeGreater = _interopRequireDefault(require("./escape-greater"));
+
 /**
+ * Internal dependencies
+ */
+
+/**
  * Regular expression matching invalid attribute names.
@@ -76,2 +84,10 @@ *
  *
+ * Note we also escape the greater than symbol, as this is used by wptexturize to
+ * split HTML strings. This is a WordPress specific fix
+ *
+ * Note that if a resolution for Trac#45387 comes to fruition, it is no longer
+ * necessary for `__unstableEscapeGreaterThan` to be used.
+ *
+ * See: https://core.trac.wordpress.org/ticket/45387
+ *
  * @param {string} value Attribute value.
@@ -84,3 +100,3 @@ *
 function escapeAttribute(value) {
-  return escapeQuotationMark(escapeAmpersand(value));
+  return (0, _escapeGreater.default)(escapeQuotationMark(escapeAmpersand(value)));
 }
@@ -87,0 +103,0 @@ /**

CHANGELOG.md

@@ -0,1 +1,5 @@
+## 1.1.1 (Unreleased)
+
+- Add fix for WordPress wptexturize greater-than tokenize bug (see https://core.trac.wordpress.org/ticket/45387)
+
 ## 1.0.1 (2018-10-19)
@@ -2,0 +6,0 @@

package.json

 {
 	"name": "@wordpress/escape-html",
-	"version": "1.1.0",
+	"version": "1.2.0",
 	"description": "Escape HTML utils.",
@@ -28,3 +28,3 @@ "author": "The WordPress Contributors",
 	},
-	"gitHead": "80d228669adadb8dfcd24b8421517fed3be2d474"
+	"gitHead": "1e024a20a20369af7bc9720a676fdd3837a3a105"
 }

README.md

@@ -15,2 +15,124 @@ # Escape HTML
 
+## API
+
+<!-- START TOKEN(Autogenerated API docs) -->
+
+### escapeAmpersand
+
+[src/index.js#L33-L35](src/index.js#L33-L35)
+
+Returns a string with ampersands escaped. Note that this is an imperfect
+implementation, where only ampersands which do not appear as a pattern of
+named, decimal, or hexadecimal character references are escaped. Invalid
+named references (i.e. ambiguous ampersand) are are still permitted.
+
+**Related**
+
+-   <https://w3c.github.io/html/syntax.html#character-references>
+-   <https://w3c.github.io/html/syntax.html#ambiguous-ampersand>
+-   <https://w3c.github.io/html/syntax.html#named-character-references>
+
+**Parameters**
+
+-   **value** `string`: Original string.
+
+**Returns**
+
+`string`: Escaped string.
+
+### escapeAttribute
+
+[src/index.js#L79-L81](src/index.js#L79-L81)
+
+Returns an escaped attribute value.
+
+**Related**
+
+-   <https://w3c.github.io/html/syntax.html#elements-attributes>
+
+"[...] the text cannot contain an ambiguous ampersand [...] must not contain
+any literal U+0022 QUOTATION MARK characters (")"
+
+Note we also escape the greater than symbol, as this is used by wptexturize to
+split HTML strings. This is a WordPress specific fix
+
+Note that if a resolution for Trac#45387 comes to fruition, it is no longer
+necessary for `__unstableEscapeGreaterThan` to be used.
+
+See: <https://core.trac.wordpress.org/ticket/45387>
+
+**Parameters**
+
+-   **value** `string`: Attribute value.
+
+**Returns**
+
+`string`: Escaped attribute value.
+
+### escapeHTML
+
+[src/index.js#L95-L97](src/index.js#L95-L97)
+
+Returns an escaped HTML element value.
+
+**Related**
+
+-   <https://w3c.github.io/html/syntax.html#writing-html-documents-elements>
+
+"the text must not contain the character U+003C LESS-THAN SIGN (\<) or an
+ambiguous ampersand."
+
+**Parameters**
+
+-   **value** `string`: Element value.
+
+**Returns**
+
+`string`: Escaped HTML element value.
+
+### escapeLessThan
+
+[src/index.js#L55-L57](src/index.js#L55-L57)
+
+Returns a string with less-than sign replaced.
+
+**Parameters**
+
+-   **value** `string`: Original string.
+
+**Returns**
+
+`string`: Escaped string.
+
+### escapeQuotationMark
+
+[src/index.js#L44-L46](src/index.js#L44-L46)
+
+Returns a string with quotation marks replaced.
+
+**Parameters**
+
+-   **value** `string`: Original string.
+
+**Returns**
+
+`string`: Escaped string.
+
+### isValidAttributeName
+
+[src/index.js#L106-L108](src/index.js#L106-L108)
+
+Returns true if the given attribute name is valid, or false otherwise.
+
+**Parameters**
+
+-   **name** `string`: Attribute name to test.
+
+**Returns**
+
+`boolean`: Whether attribute is valid.
+
+
+<!-- END TOKEN(Autogenerated API docs) -->
+
 <br/><br/><p align="center"><img src="https://s.w.org/style/images/codeispoetry.png?1" alt="Code is Poetry." /></p>

src/index.js

 /**
+ * Internal dependencies
+ */
+import __unstableEscapeGreaterThan from './escape-greater';
+
+/**
  * Regular expression matching invalid attribute names.
@@ -62,2 +67,10 @@ *
  *
+ * Note we also escape the greater than symbol, as this is used by wptexturize to
+ * split HTML strings. This is a WordPress specific fix
+ *
+ * Note that if a resolution for Trac#45387 comes to fruition, it is no longer
+ * necessary for `__unstableEscapeGreaterThan` to be used.
+ *
+ * See: https://core.trac.wordpress.org/ticket/45387
+ *
  * @param {string} value Attribute value.
@@ -68,3 +81,3 @@ *
 export function escapeAttribute( value ) {
-	return escapeQuotationMark( escapeAmpersand( value ) );
+	return __unstableEscapeGreaterThan( escapeQuotationMark( escapeAmpersand( value ) ) );
 }
@@ -71,0 +84,0 @@

src/test/index.js

@@ -12,3 +12,11 @@ /**
 } from '../';
+import __unstableEscapeGreaterThan from '../escape-greater';
 
+function testUnstableEscapeGreaterThan( implementation ) {
+	it( 'should escape greater than', () => {
+		const result = implementation( 'Chicken > Ribs' );
+		expect( result ).toBe( 'Chicken > Ribs' );
+	} );
+}
+
 function testEscapeAmpersand( implementation ) {
@@ -50,5 +58,10 @@ it( 'should escape ampersand', () => {
 
+describe( 'escapeGreaterThan', () => {
+	testUnstableEscapeGreaterThan( __unstableEscapeGreaterThan );
+} );
+
 describe( 'escapeAttribute', () => {
 	testEscapeAmpersand( escapeAttribute );
 	testEscapeQuotationMark( escapeAttribute );
+	testUnstableEscapeGreaterThan( escapeAttribute );
 } );
@@ -55,0 +68,0 @@

New alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

47848

22.17%

Number of package files

15

50%

Lines of code

439

28.74%

Number of lines in readme file

138

762.5%

Worsened metrics

Number of medium supply chain risk alerts

1

Infinity%

No dependency changes