sanitize-html - npm Package Compare versions

Comparing version 0.1.2 to 0.1.3

index.js

@@ -57,3 +57,5 @@ var htmlparser = require('htmlparser2');
             if (value.length) {
-              result += '="' + escapeHtml(value) + '"';
+              // Values are ALREADY escaped, calling escapeHtml here
+              // results in double escapes
+              result += '="' + value + '"';
             }
@@ -73,3 +75,5 @@ }
       }
-      result += escapeHtml(text);
+      // It is NOT actually raw text, entities are already escaped.
+      // If we call escapeHtml here we wind up double-escaping.
+      result += text;
     },
@@ -76,0 +80,0 @@ onclosetag: function(name) {

package.json

 {
   "name": "sanitize-html",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -72,2 +72,4 @@ # sanitize-html
 
+0.1.3: do not double-escape entities in attributes or text. Turns out the "text" provided by htmlparser2 is already escaped.
+
 0.1.2: packaging error meant it wouldn't install properly.
@@ -74,0 +76,0 @@

test/test.js

@@ -37,3 +37,6 @@ var assert = require("assert");
   });
+  it('should preserve entities as such', function() {
+    assert.equal(sanitizeHtml('<a name="&lt;silly&gt;">&lt;Kapow!&gt;</a>'), '<a name="&lt;silly&gt;">&lt;Kapow!&gt;</a>');
+  });
 });
 

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

16676

increased by3.28%

Lines of code

166

increased by4.4%

Number of lines in readme file

90

increased by2.27%

No dependency changes