Merge pull request #2 from jadejs/escape-html

TimothyGu · TimothyGu · commit 7fea7dc2fb40 · 2015-08-27T16:16:35.000-07:00
Escape html
diff --git a/README.md b/README.md
@@ -21,6 +21,12 @@ assert(stringify('foo') === '"foo"');
 assert(stringify('foo\u2028bar\u2029baz') === '"foo\\u2028bar\\u2029baz"');
 assert(stringify(new Date('2014-12-19T03:42:00.000Z')) === 'new Date("2014-12-19T03:42:00.000Z")');
 assert(stringify({foo: 'bar'}) === '{"foo":"bar"}');
+assert(stringify(undefined) === 'undefined');
+assert(stringify(null) === 'null');
+assert(
+  stringify({val: "</script><script>alert('bad actor')</script>"}) ===
+  '{"val":"\\u003C\\u002Fscript\\u003E\\u003Cscript\\u003Ealert(\'bad actor\')\\u003C\\u002Fscript\\u003E"}'
+);
 ```
 
 ## License
diff --git a/index.js b/index.js
@@ -10,5 +10,8 @@ function stringify(obj) {
   }
   return JSON.stringify(obj)
              .replace(/\u2028/g, '\\u2028')
-             .replace(/\u2029/g, '\\u2029');
+             .replace(/\u2029/g, '\\u2029')
+             .replace(/</g, '\\u003C')
+             .replace(/>/g, '\\u003E')
+             .replace(/\//g, '\\u002F');
 }
diff --git a/test/index.js b/test/index.js
@@ -9,5 +9,9 @@ assert(stringify(new Date('2014-12-19T03:42:00.000Z')) === 'new Date("2014-12-19
 assert(stringify({foo: 'bar'}) === '{"foo":"bar"}');
 assert(stringify(undefined) === 'undefined');
 assert(stringify(null) === 'null');
+assert(
+  stringify({val: "</script><script>alert('bad actor')</script>"}) ===
+  '{"val":"\\u003C\\u002Fscript\\u003E\\u003Cscript\\u003Ealert(\'bad actor\')\\u003C\\u002Fscript\\u003E"}'
+);
 
 console.log('tests passed');

Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,8 @@ function stringify(obj) {`
`10`	`10`	`}`
`11`	`11`	`return JSON.stringify(obj)`
`12`	`12`	`.replace(/\u2028/g, '\\u2028')`
`13`		`- .replace(/\u2029/g, '\\u2029');`
	`13`	`+ .replace(/\u2029/g, '\\u2029')`
	`14`	`+ .replace(/</g, '\\u003C')`
	`15`	`+ .replace(/>/g, '\\u003E')`
	`16`	`+ .replace(/\//g, '\\u002F');`
`14`	`17`	`}`