Merge pull request #1980 from swilliamset/update-clean-input-utility

refactor `cleanInput` utility method  to prevent double encoding

Author: futuremint

js/utilities.js

@@ -53,16 +53,18 @@
 	var isUpArrow = isKey(CONST.UP_ARROW_KEYCODE);
 	var isDownArrow = isKey(CONST.DOWN_ARROW_KEYCODE);
 
-	// https://github.com/ExactTarget/fuelux/issues/1841
-	var xssRegex = /<.*>/;
-	var cleanInput = function cleanInput (questionableInput) {
-		var cleanedInput = questionableInput;
-
-		if (xssRegex.test(cleanedInput)) {
-			cleanedInput = $('<i>').text(questionableInput).html();
+	var ENCODED_REGEX = /&[^\s]*;/;
+	/*
+	 * to prevent double encoding decodes content in loop until content is encoding free
+	 */
+	var cleanInput = function cleanInput (questionableMarkup) {
+		// check for encoding and decode
+		while (ENCODED_REGEX.test(questionableMarkup)) {
+			questionableMarkup = $('<i>').html(questionableMarkup).text();
 		}
 
-		return cleanedInput;
+		// string completely decoded now encode it
+		return $('<i>').text(questionableMarkup).html();
 	};
 
 	$.fn.utilities = {
@@ -79,4 +81,3 @@
 	// -- BEGIN UMD WRAPPER AFTERWORD --
 }));
 // -- END UMD WRAPPER AFTERWORD --
-

package.json

@@ -20,7 +20,9 @@
     "updatereferences": "grunt shell:copyToReference"
   },
   "dependencies": {
+    "babel-eslint": "^7.2.3",
     "bootstrap": "3.3.7",
+    "eslint-plugin-react": "^7.0.1",
     "jquery": "3.2.1",
     "moment": "2.18.1"
   },

test/tests.js

@@ -60,4 +60,5 @@ define(function testWrapper (require) {
 	require('./test/picker-test');
 	require('./test/tree-test');
 	require('./test/wizard-test');
+	require('./test/utilities-test');
 });

test/utilities-test.js

@@ -0,0 +1,41 @@
+define( function utilitiesTestModule(require) {
+	var QUnit = require('qunit');
+	var $ = require('jquery');
+
+	require('fuelux/utilities');
+
+	QUnit.module( 'Fuel UX Utilities', function utilitiesTests() {
+		QUnit.test( 'should be defined on jquery object', function utilitiesObjectDefinedTest( assert ) {
+			assert.equal(typeof $().utilities,  'object', 'utilities object is defined' );
+		});
+
+		QUnit.module( 'cleanInput Method', {
+			beforeEach: function beforeEachUtilitiesCleanInputTests() {
+				this.utilities = $().utilities;
+				this.cleanInput = this.utilities.cleanInput;
+			}
+		}, function utilitiesCleanInputTests() {
+			QUnit.test( 'should be defined on utilities object', function cleanInputMethodDefinedTest( assert ) {
+				assert.equal(typeof this.utilities.cleanInput,  'function', 'cleanInput function is defined' );
+			});
+
+			QUnit.test( 'should encode strings', function cleanInputMethodEncodeTest( assert ) {
+				var dirtyString = '<script>';
+				var cleanString = '&lt;script&gt;';
+				assert.equal(this.cleanInput(dirtyString),  cleanString, 'string should be encoded' );
+			});
+
+			QUnit.test( 'should not double encode strings', function cleanInputMethodEncodeTest( assert ) {
+				var variants = [
+					{dirtyString: '&lt;&gt;', cleanString: '&lt;&gt;'},
+					{dirtyString: '&lt;script&gt;', cleanString: '&lt;script&gt;'},
+					{dirtyString: '<&lt;&gt;>', cleanString: '&lt;&lt;&gt;&gt;'}
+				];
+
+				variants.forEach(function forEachDoubleEncodeVariant(variant, index) {
+					assert.equal(this.cleanInput(variant.dirtyString), variant.cleanString, 'variant ' + (index + 1) + ' string should be encoded' );
+				}, this);
+			});
+		});
+	});
+});