From dc40abf14388906e48a4c9dfab7afa90baf7afb7 Mon Sep 17 00:00:00 2001 From: jos Date: Mon, 21 Dec 2015 14:39:15 +0100 Subject: [PATCH] Fixed #230, Fixed #227, and Fixed #93: html and unicode characters not escaped --- HISTORY.md | 1 + src/js/Node.js | 4 +++- test/test_build.html | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 2b249c8..248ad2d 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -6,6 +6,7 @@ https://github.com/josdejong/jsoneditor ## not yet released, version 4.2.2 - Replaced the PNG icon images with SVG. Thanks @1j01. +- Fixed #230, #227, and #93: html and unicode characters not escaped. - Fixed #149: Memory leak when switching mode from/to `code` mode, web worker of Ace editor wasn't cleaned up. - Fixed #234: Remove dependency on a fork of the `jsonlint` project on github. diff --git a/src/js/Node.js b/src/js/Node.js index 7588390..124ca60 100644 --- a/src/js/Node.js +++ b/src/js/Node.js @@ -2858,6 +2858,7 @@ Node.prototype._stringCast = function(str) { */ Node.prototype._escapeHTML = function (text) { var htmlEscaped = String(text) + .replace(/&/g, '&') // must be replaced first! .replace(//g, '>') .replace(/ /g, '  ') // replace double space with an nbsp and space @@ -2880,7 +2881,8 @@ Node.prototype._unescapeHTML = function (escapedText) { return htmlEscaped .replace(/</g, '<') .replace(/>/g, '>') - .replace(/ |\u00A0/g, ' '); + .replace(/ |\u00A0/g, ' ') + .replace(/&/g, '&'); // must be replaced last }; /** diff --git a/test/test_build.html b/test/test_build.html index cd2a06a..bf0d998 100644 --- a/test/test_build.html +++ b/test/test_build.html @@ -1,6 +1,7 @@ + Test JSONEditor @@ -50,6 +51,8 @@ json = { "array": [1, 2, 3], "boolean": true, + "htmlcode": '"', + "unicode": '®', "null": null, "number": 123, "object": {"a": "b", "c": "d"},