feat: Add escape_once helper

stephannv · Oct 12, 2024 · e2b7ebd · e2b7ebd
1 parent ba01afa
commit e2b7ebd
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 9 deletions.
diff --git a/spec/blueprint/html/helpers_spec.cr b/spec/blueprint/html/helpers_spec.cr
@@ -52,4 +52,34 @@ describe "helpers" do
       page.to_s.should contain expected_html
     end
   end
+
+  describe "#escape_once" do
+    it "escapes HTML without affecting existing escaped entities" do
+      actual_html = Blueprint::HTML.build do
+        span escape_once("&lt;&lt; Accept & Checkout")
+
+        div escape_once(MarkdownLink.new("1 < 2 &amp; 3", "example.com"))
+      end
+
+      expected_html = normalize_html <<-HTML
+        <span>&lt;&lt; Accept &amp; Checkout</span>
+
+        <div>[1 &lt; 2 &amp; 3](example.com)</div>
+      HTML
+
+      actual_html.to_s.should eq expected_html
+    end
+
+    it "escapes unsafe content" do
+      actual_html = Blueprint::HTML.build do
+        span escape_once("<script>alert('content')</script>")
+      end
+
+      expected_html = normalize_html <<-HTML
+        <span>&lt;script&gt;alert(&#39;content&#39;)&lt;/script&gt;</span>
+      HTML
+
+      actual_html.to_s.should eq expected_html
+    end
+  end
 end
diff --git a/spec/blueprint/html/utils_spec.cr b/spec/blueprint/html/utils_spec.cr
@@ -1,13 +1,5 @@
 require "../../spec_helper"
 
-private class MarkdownLink
-  def initialize(@text : String, @href : String); end
-
-  def to_s
-    "[#{@text}](#{@href})"
-  end
-end
-
 private class ExamplePage
   include Blueprint::HTML
 

diff --git a/spec/spec_helper.cr b/spec/spec_helper.cr
@@ -1,6 +1,14 @@
 require "spec"
 require "../src/blueprint/html"
 
+class MarkdownLink
+  def initialize(@text : String, @href : String); end
+
+  def to_s
+    "[#{@text}](#{@href})"
+  end
+end
+
 def normalize_html(html : String) : String
   html.strip.gsub(/\R\s+/, "")
 end
diff --git a/src/blueprint/html/helpers.cr b/src/blueprint/html/helpers.cr
@@ -1,8 +1,20 @@
 module Blueprint::HTML::Helpers
-  def safe(value) : SafeValue
+  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
+
+  HTML_ESCAPE = {"&": "&amp;", ">": "&gt;", "<": "&lt;", %("): "&quot;", "'": "&#39;"}
+
+  private def safe(value) : SafeValue
     Blueprint::SafeValue.new(value)
   end
 
+  private def escape_once(value : String) : SafeValue
+    safe value.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
+  end
+
+  private def escape_once(value) : SafeValue
+    escape_once(value.to_s)
+  end
+
   @[Experimental]
   macro tokens(**conditions)
     String.build do |io|