nightlycommit / twing / 263

Committed 27 Jul 2024 09:10AM UTC coverage: 100.0%. Remained the same

Build # 263

Build Type

push

gitlab-ci

Committed by Eric MORAND

Commit Message

Merge branch 'issue-618' into 'main'

Resolve issue #618

Closes #618

See merge request nightlycommit/twing!612

Run Details

1740 of 1740 branches covered (100.0%)

Branch coverage included in aggregate %.

5725 of 5725 relevant lines covered (100.0%)

2557.0 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

100.0

/src/main/lib/escaping-stragegy/html-attribute.ts

import {TwingEscapingStrategyHandler} from "../escaping-strategy";

const phpOrd = require('locutus/php/strings/ord');

export const createHtmlAttributeEscapingStrategyHandler = (): TwingEscapingStrategyHandler => {
    return (value) => {
        value = value.replace(/[^a-zA-Z0-9,.\-_]/ug, function (matches: string) {
            /**
             * This function is adapted from code coming from Zend Framework.
             *
             * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
             * @license   http://framework.zend.com/license/new-bsd New BSD License
             */
            /*
             * While HTML supports far more named entities, the lowest common denominator
             * has become HTML5's XML Serialisation which is restricted to the those named
             * entities that XML supports. Using HTML entities would result in this error:
             *     XML Parsing Error: undefined entity
             */
            let entityMap = new Map([
                [34, 'quot'], /* quotation mark */
                [38, 'amp'], /* ampersand */
                [60, 'lt'], /* less-than sign */
                [62, 'gt'] /* greater-than sign */
            ]);

            let chr = matches;
            let ord = phpOrd(chr);

            /*
             * The following replaces characters undefined in HTML with the
             * hex entity for the Unicode replacement character.
             */
            if ((ord <= 0x1f && chr != "\t" && chr != "\n" && chr != "\r") || (ord >= 0x7f && ord <= 0x9f)) {
                return '&#xFFFD;';
            }

            /*
             * Check if the current character to escape has a name entity we should
             * replace it with while grabbing the hex value of the character.
             */
            let int = chr.codePointAt(0)!;
            
            if (entityMap.has(int)) {
                return `&${entityMap.get(int)};`;
            }

            let hex: string = int.toString(16).toUpperCase();

            if (hex.length === 1 || hex.length === 3) {
                hex = '0' + hex;
            }

            /*
             * Per OWASP recommendations, we'll use hex entities for any other
             * characters where a named entity does not exist.
             */
            return `&#x${hex};`;
        });

        return value;
    };
};

1	import {TwingEscapingStrategyHandler} from "../escaping-strategy";
2
3	const phpOrd = require('locutus/php/strings/ord');	1✔
4
5	export const createHtmlAttributeEscapingStrategyHandler = (): TwingEscapingStrategyHandler => {	1✔
6	return (value) => {	3,033✔
7	value = value.replace(/[^a-zA-Z0-9,.\-_]/ug, function (matches: string) {	560✔
8	/**
9	* This function is adapted from code coming from Zend Framework.
10	*
11	* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
12	* @license http://framework.zend.com/license/new-bsd New BSD License
13	*/
14	/*
15	* While HTML supports far more named entities, the lowest common denominator
16	* has become HTML5's XML Serialisation which is restricted to the those named
17	* entities that XML supports. Using HTML entities would result in this error:
18	* XML Parsing Error: undefined entity
19	*/
20	let entityMap = new Map([
21	[34, 'quot'], /* quotation mark */
22	[38, 'amp'], /* ampersand */
23	[60, 'lt'], /* less-than sign */
24	[62, 'gt'] /* greater-than sign */
25	]);
26
27	let chr = matches;
28	let ord = phpOrd(chr);
29
30	/*
31	* The following replaces characters undefined in HTML with the
32	* hex entity for the Unicode replacement character.
33	*/
34	if ((ord <= 0x1f && chr != "\t" && chr != "\n" && chr != "\r") \|\| (ord >= 0x7f && ord <= 0x9f)) {
35	return '�';
36	}
37
38	/*
39	* Check if the current character to escape has a name entity we should
40	* replace it with while grabbing the hex value of the character.
41	*/
42	let int = chr.codePointAt(0)!;
43
44	if (entityMap.has(int)) {
45	return `&${entityMap.get(int)};`;
46	}
47
48	let hex: string = int.toString(16).toUpperCase();
49
50	if (hex.length === 1 \|\| hex.length === 3) {
51	hex = '0' + hex;
52	}
53
54	/*
55	* Per OWASP recommendations, we'll use hex entities for any other
56	* characters where a named entity does not exist.
57	*/
58	return `&#x${hex};`;
59	});
60
61	return value;	560✔
62	};
63	};

nightlycommit / twing / 263

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous