Escape field values for XML-unsafe characters (#177)

* Escape field values for XML-unsafe characters * String equality check ===
2024-12-23 06:23:37 -05:00 · 2016-09-13 17:51:17 -04:00 · 2016-09-13 17:51:17 -04:00 · 6b08b95b97
commit 6b08b95b97
parent 08b40b4d1d
2 changed files with 27 additions and 1 deletions
--- a/src/engine/blocks.js
+++ b/src/engine/blocks.js
@ -1,4 +1,5 @@
 var adapter = require('./adapter');
+var xmlEscape = require('../util/xml-escape');

 /**
 * @fileoverview
@ -369,8 +370,12 @@ Blocks.prototype.blockToXML = function (blockId) {
    // Add any fields on this block.
    for (var field in block.fields) {
        var blockField = block.fields[field];
+        var value = blockField.value;
+        if (typeof value === 'string') {
+            value = xmlEscape(blockField.value);
+        }
        xmlString += '<field name="' + blockField.name + '">' +
-            blockField.value + '</field>';
+            value + '</field>';
    }
    // Add blocks connected to the next connection.
    if (block.next) {
--- a/src/util/xml-escape.js
+++ b/src/util/xml-escape.js
@ -0,0 +1,21 @@
+/**
+ * Escape a string to be safe to use in XML content.
+ * CC-BY-SA: hgoebl
+ * https://stackoverflow.com/questions/7918868/
+ * how-to-escape-xml-entities-in-javascript
+ * @param {!string} unsafe Unsafe string.
+ * @return {string} XML-escaped string, for use within an XML tag.
+ */
+var xmlEscape = function (unsafe) {
+    return unsafe.replace(/[<>&'"]/g, function (c) {
+        switch (c) {
+        case '<': return '&lt;';
+        case '>': return '&gt;';
+        case '&': return '&amp;';
+        case '\'': return '&apos;';
+        case '"': return '&quot;';
+        }
+    });
+};
+
+module.exports = xmlEscape;