Escape HTML: Always Escape Ampersand

WordPress · Oct 17, 2019 · 70dfa53 · 70dfa53
1 parent d7cd263
commit 70dfa53
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 28 deletions.
diff --git a/packages/block-library/src/code/utils.js b/packages/block-library/src/code/utils.js
@@ -11,7 +11,6 @@ import { flow } from 'lodash';
  */
 export function escape( content ) {
 	return flow(
-		escapeAmpersands,
 		escapeOpeningSquareBrackets,
 		escapeProtocolInIsolatedUrls
 	)( content || '' );
@@ -27,33 +26,9 @@ export function unescape( content ) {
 	return flow(
 		unescapeProtocolInIsolatedUrls,
 		unescapeOpeningSquareBrackets,
-		unescapeAmpersands
 	)( content || '' );
 }
 
-/**
- * Returns the given content with all its ampersand characters converted
- * into their HTML entity counterpart (i.e. & => &amp;)
- *
- * @param {string}  content The content of a code block.
- * @return {string} The given content with its ampersands converted into
- *                  their HTML entity counterpart (i.e. & => &amp;)
- */
-function escapeAmpersands( content ) {
-	return content.replace( /&/g, '&amp;' );
-}
-
-/**
- * Returns the given content with all &amp; HTML entities converted into &.
- *
- * @param {string}  content The content of a code block.
- * @return {string} The given content with all &amp; HTML entities
- *                  converted into &.
- */
-function unescapeAmpersands( content ) {
-	return content.replace( /&amp;/g, '&' );
-}
-
 /**
  * Returns the given content with all opening shortcode characters converted
  * into their HTML entity counterpart (i.e. [ => &#91;). For instance, a

diff --git a/packages/element/src/test/serialize.js b/packages/element/src/test/serialize.js
@@ -188,7 +188,7 @@ describe( 'renderElement()', () => {
 	it( 'renders escaped string element', () => {
 		const result = renderElement( 'hello & world &amp; friends <img/>' );
 
-		expect( result ).toBe( 'hello &amp; world &amp; friends &lt;img/>' );
+		expect( result ).toBe( 'hello &amp; world &amp;amp; friends &lt;img/>' );
 	} );
 
 	it( 'renders numeric element as string', () => {

diff --git a/packages/escape-html/src/index.js b/packages/escape-html/src/index.js
@@ -31,7 +31,7 @@ const REGEXP_INVALID_ATTRIBUTE_NAME = /[\u007F-\u009F "'>/="\uFDD0-\uFDEF]/;
  * @return {string} Escaped string.
  */
 export function escapeAmpersand( value ) {
-	return value.replace( /&(?!([a-z0-9]+|#[0-9]+|#x[a-f0-9]+);)/gi, '&amp;' );
+	return value.replace( /&/gi, '&amp;' );
 }
 
 /**

diff --git a/packages/escape-html/src/test/index.js b/packages/escape-html/src/test/index.js
@@ -22,7 +22,7 @@ function testEscapeAmpersand( implementation ) {
 	it( 'should escape ampersand', () => {
 		const result = implementation( 'foo & bar &amp; &AMP; baz &#931; &#bad; &#x3A3; &#X3a3; &#xevil;' );
 
-		expect( result ).toBe( 'foo &amp; bar &amp; &AMP; baz &#931; &amp;#bad; &#x3A3; &#X3a3; &amp;#xevil;' );
+		expect( result ).toBe( 'foo &amp; bar &amp;amp; &amp;AMP; baz &amp;#931; &amp;#bad; &amp;#x3A3; &amp;#X3a3; &amp;#xevil;' );
 	} );
 }