3pp-mirror/docusaurus
1
0
Fork 0
mirror of https://github.com/facebook/docusaurus.git synced 2025-06-03 03:12:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(v2): escape HTML entities in user tags attributes (#4894)

Browse source
This commit is contained in:
Alexey Pyltsyn 2021-06-03 15:52:13 +03:00 committed by GitHub
parent 0587d6d6e7
commit 1349ece883
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
packages/docusaurus/package.json
View file

@ -69,6 +69,7 @@
"cssnano": "^5.0.4",
"del": "^6.0.0",
"detect-port": "^1.3.0",
"escape-html": "^1.0.3",
"eta": "^1.12.1",
"express": "^4.17.1",
"file-loader": "^6.2.0",

5
packages/docusaurus/src/server/html-tags/__tests__/htmlTags.test.ts
View file

@ -8,7 +8,7 @@
import htmlTagObjectToString from '../htmlTags';
describe('htmlTagObjectToString', () => {
test('simple html tag', () => {
test('valid html tag', () => {
expect(
htmlTagObjectToString({
tagName: 'script',
@ -17,10 +17,11 @@ describe('htmlTagObjectToString', () => {
src:
'https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js',
async: true,
'data-options': '{"prop":true}',
},
}),
).toMatchInlineSnapshot(
`"<script type=\\"text/javascript\\" src=\\"https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js\\" async></script>"`,
`"<script type=\\"text/javascript\\" src=\\"https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js\\" async data-options=\\"{&quot;prop&quot;:true}\\"></script>"`,
);
expect(

3
packages/docusaurus/src/server/html-tags/htmlTags.ts
View file

@ -9,6 +9,7 @@ import {isPlainObject} from 'lodash';
import {HtmlTagObject} from '@docusaurus/types';
import htmlTags from 'html-tags';
import voidHtmlTags from 'html-tags/void';
import escapeHTML from 'escape-html';
function assertIsHtmlTagObject(val: unknown): asserts val is HtmlTagObject {
if (!isPlainObject(val)) {
@ -41,7 +42,7 @@ export default function htmlTagObjectToString(tagDefinition: unknown): string {
if (tagAttributes[attributeName] === true) {
return attributeName;
}
return `${attributeName}="${tagAttributes[attributeName]}"`;
return `${attributeName}="${escapeHTML(tagAttributes[attributeName])}"`;
});
return `<${[tagDefinition.tagName].concat(attributes).join(' ')}>${
(!isVoidTag && tagDefinition.innerHTML) || ''