fix(escape_html): avoid double escape (#328)

hexojs · Jul 10, 2023 · 5195be9 · 5195be9
1 parent b33894d
commit 5195be9
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/lib/escape_html.ts b/lib/escape_html.ts
@@ -1,6 +1,6 @@
-import unescapeHTML from './unescape_html';
-
-const htmlEntityMap = {
+const escapeTestNoEncode = /[<>"'`/=]|&(?!(#\d{1,7}|#[Xx][a-fA-F0-9]{1,6}|\w+);)/;
+const escapeReplaceNoEncode = new RegExp(escapeTestNoEncode.source, 'g');
+const escapeReplacements = {
   '&': '&amp;',
   '<': '&lt;',
   '>': '&gt;',
@@ -10,14 +10,16 @@ const htmlEntityMap = {
   '/': '&#x2F;',
   '=': '&#x3D;'
 };
+const getEscapeReplacement = (ch: string) => escapeReplacements[ch];
 
 function escapeHTML(str: string) {
   if (typeof str !== 'string') throw new TypeError('str must be a string!');
 
-  str = unescapeHTML(str);
-
-  // http://stackoverflow.com/a/12034334
-  return str.replace(/[&<>"'`/=]/g, a => htmlEntityMap[a]);
+  // https://github.com/markedjs/marked/blob/master/src/helpers.js
+  if (escapeTestNoEncode.test(str)) {
+    return str.replace(escapeReplaceNoEncode, getEscapeReplacement);
+  }
+  return str;
 }
 
 export = escapeHTML;
diff --git a/test/escape_html.spec.js b/test/escape_html.spec.js
@@ -16,4 +16,8 @@ describe('escapeHTML', () => {
   it('avoid double escape', () => {
     escapeHTML('&lt;foo>bar</foo&gt;').should.eql('&lt;foo&gt;bar&lt;&#x2F;foo&gt;');
   });
+
+  it('avoid double escape https://github.com/hexojs/hexo/issues/4946', () => {
+    escapeHTML('&emsp;&nbsp;&ensp;').should.eql('&emsp;&nbsp;&ensp;');
+  });
 });