html escape.ts

100% Statements 2/2
100% Branches 0/0
100% Functions 2/2
100% Lines 2/2
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
33x
 
 
 
 
 
 
 
 
 
 
 
 
 
 
65996x
 
 
 
 
 
 
  // SPDX-FileCopyrightText: 2024-2026 Hack23 AB
// SPDX-License-Identifier: Apache-2.0
 
/**
 * @module Utils/Html/Escape
 * @description Single repo-wide HTML escaping and decoding utilities.
 *
 * `escapeHTML` is the canonical XSS-prevention encoder for the codebase —
 * its behaviour must not change. `decodeHtmlEntities` is the inverse used
 * when extracting plain text from our own generated HTML.
 */
 
/**
 * Decode the 5 HTML entities produced by escapeHTML() back to plain text.
 * Used when extracting text from our own generated HTML to obtain unescaped values.
 *
 * IMPORTANT: `&amp;` MUST be decoded last. Decoding it first would convert
 * `&amp;lt;` to `&lt;` before the `&lt;` → `<` replacement runs, causing
 * double-decoding. The correct order is: decode all specific entities first,
 * then decode `&amp;` as the final step.
 *
 * @param str - HTML string with entities
 * @returns Plain text with entities decoded
 */
export function decodeHtmlEntities(str: string): string {
  return str
    .replace(/&quot;/g, '"')
    .replace(/&#39;/g, "'")
    .replace(/&lt;/g, '<')
    .replace(/&gt;/g, '>')
    .replace(/&amp;/g, '&');
}
 
/**
 * Escape special HTML characters to prevent XSS
 *
 * @param str - Raw string to escape
 * @returns HTML-safe string
 */
export function escapeHTML(str: string): string {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}