Module javascript

Expand description

javascript contextual output encoders.

provides four encoding contexts:

for_javascript — universal encoder, safe in HTML attributes, script blocks, and standalone .js files
for_javascript_attribute — optimized for HTML event attributes (e.g., onclick="...")
for_javascript_block — optimized for <script> blocks
for_javascript_source — optimized for standalone .js / JSON files

§security notes

none of these encoders encode the grave accent (`). never embed untrusted data directly inside ES2015+ template literals. instead, encode the data into a regular javascript string variable, then reference that variable from the template literal.
these encoders are for string literal contexts only. they cannot make arbitrary javascript expressions, variable names, or property accessors safe.
for_javascript_block and for_javascript_source use backslash escapes for quotes (\", \') which are not safe in HTML attribute contexts.
for_javascript_attribute does not escape / and is not safe in <script> blocks where </script> could appear.

for_javascript: encodes input for safe embedding in a javascript string literal.
for_javascript_attribute: encodes input for safe embedding in a javascript string literal inside an HTML event attribute (e.g., onclick="...").
for_javascript_block: encodes input for safe embedding in a javascript string literal inside an HTML <script> block.
for_javascript_source: encodes input for safe embedding in a javascript string literal in a standalone .js or JSON file.
write_javascript: writes the javascript-encoded form of input to out.
write_javascript_attribute: writes the javascript-attribute-encoded form of input to out.
write_javascript_block: writes the javascript-block-encoded form of input to out.
write_javascript_source: writes the javascript-source-encoded form of input to out.