move html escape into a util

2025-04-23 09:19:04 -04:00 · 2014-09-29 10:39:15 -07:00 · 2014-09-29 10:39:15 -07:00 · 1be0f3189c
commit 1be0f3189c
parent 10c6555d9f
4 changed files with 39 additions and 6 deletions
--- a/src/kibana/apps/discover/directives/table.js
+++ b/src/kibana/apps/discover/directives/table.js
@ -3,6 +3,7 @@ define(function (require) {
  var html = require('text!apps/discover/partials/table.html');
  var detailsHtml = require('text!apps/discover/partials/row_details.html');
  var moment = require('moment');
+  var htmlEscape = require('utils/html_escape');

  var _ = require('lodash');
  var $ = require('jquery');
@ -284,12 +285,7 @@ define(function (require) {


          if (breakWords) {
-            text = text.replace(/&/g, '&amp;')
-              .replace(/</g, '&lt;')
-              .replace(/>/g, '&gt;')
-              .replace(/'/g, '&#39;')
-              .replace(/"/g, '&quot;');
-
+            text = htmlEscape(text);
            var lineSize = 0;
            var newText = '';
            for (var i = 0, len = text.length; i < len; i++) {
--- a/src/kibana/utils/html_escape.js
+++ b/src/kibana/utils/html_escape.js
@ -0,0 +1,17 @@
+define(function (require) {
+  var _ = require('lodash');
+  var map = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '\'': '&#39;',
+    '"': '&quot;',
+  };
+
+  var regex = new RegExp('[' + _.keys(map).join('') + ']', 'g');
+  return function htmlEscape(text) {
+    return text.replace(regex, function (c) {
+      return map[c];
+    });
+  };
+});
--- a/test/unit/index.html
+++ b/test/unit/index.html
@ -102,6 +102,7 @@
          'specs/utils/versionmath',
          'specs/utils/routes/index',
          'specs/utils/sequencer',
+          'specs/utils/html_escape',
          'specs/courier/search_source/_get_normalized_sort',
          'specs/factories/base_object',
          'specs/state_management/state',
--- a/test/unit/specs/utils/html_escape.js
+++ b/test/unit/specs/utils/html_escape.js
@ -0,0 +1,19 @@
+define(function (require) {
+  describe('HTML Escape Util', function () {
+    var htmlEscape = require('utils/html_escape');
+
+    it('removes tags by replacing their angle-brackets', function () {
+      expect(htmlEscape('<h1>header</h1>')).to.eql('&lt;h1&gt;header&lt;/h1&gt;');
+    });
+
+    it('removes attributes from tags using &quot; and &#39;', function () {
+      expect(htmlEscape('<h1 onclick="alert(\'hi\');">header</h1>'))
+      .to.eql('&lt;h1 onclick=&quot;alert(&#39;hi&#39;);&quot;&gt;header&lt;/h1&gt;');
+    });
+
+    it('escapes existing html entities by escaping their leading &', function () {
+      expect(htmlEscape('&lt;h1&gt;header&lt;/h1&gt;'))
+      .to.eql('&amp;lt;h1&amp;gt;header&amp;lt;/h1&amp;gt;');
+    });
+  });
+});