Merge pull request #5020 from wavetermdev/escape-html

Escape Unsafe HTML Characters in addon-serialize

Author: Tyriar

addons/addon-serialize/src/SerializeAddon.test.ts

@@ -138,6 +138,16 @@ describe('SerializeAddon', () => {
       assert.equal((output.match(/<div><span>terminal<\/span><\/div>/g) || []).length, 1, output);
     });
 
+    it('basic terminal with html unsafe chars', async () => {
+      await writeP(terminal, ' <a>&pi; ');
+      terminal.select(1, 0, 7);
+
+      const output = serializeAddon.serializeAsHTML({
+        onlySelection: true
+      });
+      assert.equal((output.match(/<div><span>&lt;a>&amp;pi;<\/span><\/div>/g) || []).length, 1, output);
+    });
+
     it('cells with bold styling', async () => {
       await writeP(terminal, ' ' + sgr('1') + 'terminal' + sgr('22') + ' ');
 

addons/addon-serialize/src/SerializeAddon.ts

@@ -14,6 +14,14 @@ function constrain(value: number, low: number, high: number): number {
   return Math.max(low, Math.min(value, high));
 }
 
+function escapeHTMLChar(c: string): string {
+  switch (c) {
+    case '&': return '&';
+    case '<': return '&lt;';
+  }
+  return c;
+}
+
 // TODO: Refine this template class later
 abstract class BaseSerializeHandler {
   constructor(
@@ -669,7 +677,7 @@ export class HTMLSerializeHandler extends BaseSerializeHandler {
     if (isEmptyCell) {
       this._currentRow += ' ';
     } else {
-      this._currentRow += cell.getChars();
+      this._currentRow += escapeHTMLChar(cell.getChars());
     }
   }