« get me outta code hell

content: misc. changes to handle HTML sanitization - hsmusic-wiki - HSMusic - static wiki software cataloguing collaborative creation
about summary refs log tree commit diff
path: root/src/data/things
diff options
context:
space:
mode:
author(quasar) nebula <qznebula@protonmail.com>2023-09-11 10:11:44 -0300
committer(quasar) nebula <qznebula@protonmail.com>2023-09-11 10:11:44 -0300
commit3eb82ab2e3f9d921095af05cf0bc284f335aaa35 (patch)
tree0cc43b09e745cdb7ffc8bdd4364d6438a5b3e74b /src/data/things
parentd878ab29f20c0727acafb4b1150d4e31d69c55c0 (diff)
content: misc. changes to handle HTML sanitization
Diffstat (limited to 'src/data/things')
-rw-r--r--src/data/things/language.js29
1 files changed, 29 insertions, 0 deletions
diff --git a/src/data/things/language.js b/src/data/things/language.js
index cc49b735..afa9f1ee 100644
--- a/src/data/things/language.js
+++ b/src/data/things/language.js
@@ -214,6 +214,28 @@ export class Language extends Thing {
     return new Tag(null, null, output);
   }
 
+  // Similar to the above internal methods, but this one is public.
+  // It should be used when embedding content that may not have previously
+  // been sanitized directly into an HTML tag or template's contents.
+  // The templating engine usually handles this on its own, as does passing
+  // a value (sanitized or not) directly as an argument to formatString,
+  // but if you used a custom validation function ({validate: v => v.isHTML}
+  // instead of {type: 'string'} / {type: 'html'}) and are embedding the
+  // contents of a slot directly, it should be manually sanitized with this
+  // function first.
+  sanitize(arg) {
+    const escapeHTML = this.escapeHTML;
+
+    if (!escapeHTML) {
+      throw new Error(`escapeHTML unavailable`);
+    }
+
+    return (
+      (typeof arg === 'string'
+        ? new Tag(null, null, escapeHTML(arg))
+        : arg));
+  }
+
   formatDate(date) {
     this.assertIntlAvailable('intl_date');
     return this.intl_date.format(date);
@@ -301,6 +323,13 @@ export class Language extends Thing {
         array.map(item => this.#sanitizeStringArg(item))));
   }
 
+  // Lists without separator: A B C
+  formatListWithoutSeparator(array) {
+    return this.#wrapSanitized(
+      array.map(item => this.#sanitizeStringArg(item))
+        .join(' '));
+  }
+
   // File sizes: 42.5 kB, 127.2 MB, 4.13 GB, 998.82 TB
   formatFileSize(bytes) {
     if (!bytes) return '';