marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

refactor(mention): extract shared escapeHtml helper

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-04-29 00:02:03 +02:00
parent 091f6c7592
commit c7013f4902
2 changed files with 39 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
frontend/src/lib/utils/mention.spec.ts
View File

@@ -1,7 +1,31 @@
import { describe, it, expect } from 'vitest'; import { describe, it, expect } from 'vitest';
import { detectMention, extractContent, renderBody } from './mention'; import { detectMention, escapeHtml, extractContent, renderBody } from './mention';
import type { MentionDTO } from '$lib/types'; import type { MentionDTO } from '$lib/types';
// ─── escapeHtml ───────────────────────────────────────────────────────────────
describe('escapeHtml', () => {
it('escapes ampersand', () => {
expect(escapeHtml('AT&T')).toBe('AT&amp;T');
});
it('escapes less-than and greater-than', () => {
expect(escapeHtml('<script>')).toBe('&lt;script&gt;');
});
it('escapes double quote', () => {
expect(escapeHtml('say "hi"')).toBe('say &quot;hi&quot;');
});
it('returns empty string unchanged', () => {
expect(escapeHtml('')).toBe('');
});
it('escapes ampersand before other entities to avoid double-encoding', () => {
expect(escapeHtml('a&<b')).toBe('a&amp;&lt;b');
});
});
// ─── detectMention ──────────────────────────────────────────────────────────── // ─── detectMention ────────────────────────────────────────────────────────────
describe('detectMention', () => { describe('detectMention', () => {

24
frontend/src/lib/utils/mention.ts
View File

@@ -44,6 +44,18 @@ export function extractContent(
return { content: text, mentionedUserIds: [...seen] }; return { content: text, mentionedUserIds: [...seen] };
} }
/**
* Escapes the four HTML-special characters that can break out of text content
* or attribute values. & must be escaped first to avoid double-encoding.
*/
export function escapeHtml(str: string): string {
return str
.replaceAll('&', '&amp;')
.replaceAll('<', '&lt;')
.replaceAll('>', '&gt;')
.replaceAll('"', '&quot;');
}
/** /**
* Renders a comment body as safe HTML: * Renders a comment body as safe HTML:
* 1. Escapes all HTML-special characters in the raw content * 1. Escapes all HTML-special characters in the raw content
@@ -51,19 +63,11 @@ export function extractContent(
* 3. Converts newlines to <br> * 3. Converts newlines to <br>
*/ */
export function renderBody(content: string, mentions: MentionDTO[]): string { export function renderBody(content: string, mentions: MentionDTO[]): string {
let escaped = content let escaped = escapeHtml(content);
.replaceAll('&', '&amp;')
.replaceAll('<', '&lt;')
.replaceAll('>', '&gt;')
.replaceAll('"', '&quot;');
for (const mention of mentions) { for (const mention of mentions) {
const displayName = `${mention.firstName} ${mention.lastName}`.trim(); const displayName = `${mention.firstName} ${mention.lastName}`.trim();
const escapedDisplayName = displayName const escapedDisplayName = escapeHtml(displayName);
.replaceAll('&', '&amp;')
.replaceAll('<', '&lt;')
.replaceAll('>', '&gt;')
.replaceAll('"', '&quot;');
const span = `<span class="mention" data-user-id="${mention.id}">@${escapedDisplayName}</span>`; const span = `<span class="mention" data-user-id="${mention.id}">@${escapedDisplayName}</span>`;
escaped = escaped.replaceAll(`@${escapedDisplayName}`, span); escaped = escaped.replaceAll(`@${escapedDisplayName}`, span);
} }