Skip to content

Is given HTML escaping flawed? #1

Description

@4lm

The developer(s) of html-escaper state(s), that:

do not ever replace one char after another if you are transforming a string into another.

That is what I do:

  function escape(string) {
    return string
      .replace(/&/g, "&")
      .replace(/"/g, """)
      .replace(/'/g, "'")
      .replace(/</g, "&lt;")
      .replace(/>/g, "&gt;");
  }

But I can't see any problem with this, because I escape the HTML and don't unescape it. Does someone see a flaw in this?

Metadata

Metadata

Assignees

Labels

questionFurther information is requested

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions