Escape HTML on demo server (#1995)

fix: add missing parsing on submit
author: Pablo Nicolas Diaz <PabloNicolasDiaz@users.noreply.github.com> 2023-11-15 13:30:43 -0300
committer: GitHub <noreply@github.com> 2023-11-15 11:30:43 -0500
commit: 9fe0a680318c1ed9ae960193686cc02d33207d6d (patch)
tree: 7b3e785c22037e8f8546040d13d7726bab4b1e01 /www/static/js/demo.js
parent: 5083393a9b1079341a75bd329c548af0b08526c1 (diff)
download: htmx-9fe0a680318c1ed9ae960193686cc02d33207d6d.tar.gz
htmx-9fe0a680318c1ed9ae960193686cc02d33207d6d.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/www/static/js/demo.js b/www/static/js/demo.js
index 037006de..1228b4e3 100644
--- a/www/static/js/demo.js
+++ b/www/static/js/demo.js
@@ -28,8 +28,8 @@ function parseParams(str) {
             str = str.substr(1);
         }
         while (e = re.exec(str)) {
-            var k = decode(e[1]);
-            var v = decode(e[2]);
+            var k = encodeHTML(decode(e[1]));
+            var v = encodeHTML(decode(e[2]));
             if (params[k] !== undefined) {
                 if (!Array.isArray(params[k])) {
                     params[k] = [params[k]];
@@ -52,6 +52,10 @@ function getQuery(url) {
         url.substring(question + 1, hash);
 }
 
+function encodeHTML(s) {
+    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
+}
+
 function params(request) {
     if (server.getHTTPMethod(request) == "GET") {
         return parseParams(getQuery(request.url));
author	Pablo Nicolas Diaz <PabloNicolasDiaz@users.noreply.github.com>	2023-11-15 13:30:43 -0300
committer	GitHub <noreply@github.com>	2023-11-15 11:30:43 -0500
commit	9fe0a680318c1ed9ae960193686cc02d33207d6d (patch)
tree	7b3e785c22037e8f8546040d13d7726bab4b1e01 /www/static/js/demo.js
parent	5083393a9b1079341a75bd329c548af0b08526c1 (diff)
download	htmx-9fe0a680318c1ed9ae960193686cc02d33207d6d.tar.gz htmx-9fe0a680318c1ed9ae960193686cc02d33207d6d.zip