search

milanvrekic / JS-humanize

A JS library for adding a “human touch” to data.
MIT License
396 stars 72 forks source link

Humanize should escape HTML input #2

Open sirn opened 12 years ago

sirn commented 12 years ago

Currently Humanize doesn't do any HTML escaping; any input contains HTML fragment could get executed on the page.

=> Humanize.truncatechars("<script>alert('yo');<\/script>", 30)
   "<script>alert('yo');</script>"

=> Humanize.linebreaks("<script>alert('yo');<\/script>")
   "<p><script>alert('yo');</script></p>"

If this library is used for rendering untrusted user input (such as comments) things won't be pretty. To protect some poor soul from using this little nice library without knowing such implication, I believe Humanize should escape HTML input by default with optional parameter to disable it (if you however decide this is not the job of JS-Humanize, I think there should be a note about this behavior somewhere, in bold, red, large text but that's likely never enough ;)

Either way, nice work!

milanvrekic commented 12 years ago

Thank you. I agree that it should be script should escape HTML by default. I will get on it.