Skip to content

Instantly share code, notes, and snippets.

@jorendorff
Created May 14, 2015 22:38
Show Gist options
  • Save jorendorff/1a17f69dbfaafa2304f0 to your computer and use it in GitHub Desktop.
Save jorendorff/1a17f69dbfaafa2304f0 to your computer and use it in GitHub Desktop.
function SaferHTML(templateData) {
var s = templateData[0];
for (var i = 1; i < arguments.length; i++) {
var arg = String(arguments[i]);
// Escape special characters in the substitution.
s += arg.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;");
// Don't escape special characters in the template.
s += templateData[i];
}
return s;
}
var bonk = {
sender: "Hacker Steve <script>alert('xss');</script>"
};
console.log(SaferHTML`<p>${bonk.sender} sent you a bonk.</p>`);
@diouldebalde
Copy link

Var message=
saferHTML(template data,bonk.sender);

@diouldebalde
Copy link

object.freeze([<p>,
has sent you a bonk. <|p>]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment