This adds support for quotes around parameters for the Buildkite-specific link and image escapes.
It removes the htmlStripper pass from parseElementSequence, as it was hiding the quotation marks from tokenizeString. Now tokenizeString has extra state variables to handle the quotation marks, and will strip quotes and ignore semicolon separators which are within them.
tokenizeString runs htmlStripper over each parsed parameter once split, maintaining the XSS protection which was formerly earlier in parseElementSequence.
Finally, this adds a new error to tokenizeString, which actually changes some of the XSS protection behaviour; it will no longer simply strip rogue quotation marks in values, instead it will return an error complaining about them being unclosed. Either way, the quotation marks are stripped from the output.
This adds support for quotes around parameters for the Buildkite-specific link and image escapes.
It removes the
htmlStripperpass fromparseElementSequence, as it was hiding the quotation marks fromtokenizeString. NowtokenizeStringhas extra state variables to handle the quotation marks, and will strip quotes and ignore semicolon separators which are within them.tokenizeStringrunshtmlStripperover each parsed parameter once split, maintaining the XSS protection which was formerly earlier inparseElementSequence.Finally, this adds a new error to
tokenizeString, which actually changes some of the XSS protection behaviour; it will no longer simply strip rogue quotation marks in values, instead it will return an error complaining about them being unclosed. Either way, the quotation marks are stripped from the output.