What does citation JS use to escape citation data before turning it into html?

[J-avery32]

And where can I see the code that does the actual escaping?

[larsgw]

That's a good question.

• Formatted citation output (i.e. CSL output, 'bibliography' and 'citation') is made with citeproc-js and its HTML escape function can be seen here. It also allows some generic formatting HTML.
• JSON, YAML, BibTeX and RIS output (and any other specific formats I may be forgetting) seem safe to me, in the sense that it should not be interpreted as HTML at all.

There are also two situations where a non-HTML format is outputted with HTML markup (e.g. JSON with HTML indentation for if you do not want to use <pre> for some reason). This is the status on those:

• HTML-formatted BibTeX output is escaped because the BibTeX values themselves are escaped with this code (specifically UNSAFE_UNICODE and escapeValue).
• HTML-formatted JSON output is not escaped. This only happens if you run .format('data', { type: 'html' }) or .format('data', { format: 'html' }). When those options are used a warning is normally logged, but the logger is currently silent by default.

Other output formats do not offer this kind of HTML-formatted output, but if they did they are unlikely to be escaped.

[J-avery32]

I see. Thank you. I didn't realize that the code for escaping is in another repository.