jsonnet icon indicating copy to clipboard operation
jsonnet copied to clipboard

Published 20 hours ago verified publisher icon google

manifestXmlJsonml does not escape content, nor is there an escape for html/xml

Open scr-oath opened this issue 2 years ago • 1 comments
trafficstars

How does one properly escape user inputs / data for insertion into contents of a tag?

[scr@R9459YDHVQ]$ jsonnet -S -e 'function(vars) std.manifestXmlJsonml(["statement", vars.statement])' --tla-code vars='{"statement": "5 < 4"}'
<statement>5 < 4</statement>

(Yes the statement is false 😄 , as is the output - it should be 5 &lt; 4)

scr-oath avatar Nov 27 '22 19:11 scr-oath

Something like this seems to work and would be nice to add to std.

function(s)
  local chars = std.stringChars(s);
  local escapes = {
    '<': '&lt;',
    '>': '&gt;',
    '&': '&amp;',
    '"': '&quot;',
    "'": '&apos;',
  };
  local escapedChars = std.map(function(c) std.get(escapes, c, c), chars);
  std.join('', escapedChars)

scr-oath avatar Nov 27 '22 19:11 scr-oath