search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.2k stars 630 forks source link

escapeHtml seems to only catch first instance #135

Closed sweatherall closed 6 years ago

sweatherall commented 6 years ago

when customizing the escapeHtml function, it seems to only replace the first instance that it finds, and leaves the rest.

I am actually hacking the function a little bit, because I have HTML that has already been encoded, and I want to strip the encoding and replace it with normal characters.

For example, I am doing this: 

special_options =
          whiteList:          []
          stripIgnoreTag:     true
          stripIgnoreTagBody: ['script']
          escapeHtml:         (html) -> return html.replace("&lt;", "<").replace("&gt;", ">").replace("&amp;", '&')

So, I really want to replace "&" with the normal ampersand sign (&). If there is a better way to do this, please let me know.

The main issue I am posting here is regarding the lack of replacement of each entity; it only replaces the first instance,

sweatherall commented 6 years ago

please ignore this issue - I got it resolved by using a different, more correct, method.