3da0bf5c3a
- Add escapeHtml utility function for HTML entity encoding - Apply escapeHtml to GanttChart popup HTML template - Apply escapeHtml to AuditPage PDF export HTML template This prevents potential XSS attacks if task names, user names, or other dynamic content contains malicious HTML/JavaScript. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
25 lines
715 B
TypeScript
25 lines
715 B
TypeScript
/**
|
|
* Escapes HTML special characters to prevent XSS attacks.
|
|
* Use this when inserting dynamic content into HTML strings.
|
|
*/
|
|
export function escapeHtml(unsafe: string | null | undefined): string {
|
|
if (unsafe == null) return ''
|
|
return String(unsafe)
|
|
.replace(/&/g, '&')
|
|
.replace(/</g, '<')
|
|
.replace(/>/g, '>')
|
|
.replace(/"/g, '"')
|
|
.replace(/'/g, ''')
|
|
}
|
|
|
|
/**
|
|
* Escapes HTML for use in HTML attributes.
|
|
* More restrictive than escapeHtml - also escapes backticks and equals.
|
|
*/
|
|
export function escapeAttr(unsafe: string | null | undefined): string {
|
|
if (unsafe == null) return ''
|
|
return escapeHtml(unsafe)
|
|
.replace(/`/g, '`')
|
|
.replace(/=/g, '=')
|
|
}
|