manifestXmlJsonml does not escape content, nor is there an escape for html/xml

google / jsonnet

Jsonnet - The data templating language

http://jsonnet.org

Apache License 2.0

6.92k stars 437 forks source link

manifestXmlJsonml does not escape content, nor is there an escape for html/xml #1037

Open scr-oath opened 1 year ago

scr-oath commented 1 year ago

How does one properly escape user inputs / data for insertion into contents of a tag?

[scr@R9459YDHVQ]$ jsonnet -S -e 'function(vars) std.manifestXmlJsonml(["statement", vars.statement])' --tla-code vars='{"statement": "5 < 4"}'
<statement>5 < 4</statement>

(Yes the statement is false 😄 , as is the output - it should be 5 < 4)

scr-oath commented 1 year ago

Something like this seems to work and would be nice to add to std.

function(s)
  local chars = std.stringChars(s);
  local escapes = {
    '<': '&lt;',
    '>': '&gt;',
    '&': '&amp;',
    '"': '&quot;',
    "'": '&apos;',
  };
  local escapedChars = std.map(function(c) std.get(escapes, c, c), chars);
  std.join('', escapedChars)