1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
/// Escape HTML following [OWASP](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
///
/// Escape the following characters with HTML entity encoding to prevent switching
/// into any execution context, such as script, style, or event handlers. Using
/// hex entities is recommended in the spec. In addition to the 5 characters
/// significant in XML (&, <, >, ", '), the forward slash is included as it helps
/// to end an HTML entity.
///
/// ```text
/// & --> &
/// < --> <
/// > --> >
/// " --> "
/// ' --> ' ' is not recommended
/// / --> / forward slash is included as it helps end an HTML entity
/// ```
#[inline] // TODO: check if the inline matters in benches
pub fn escape_html(input: &str) -> String {
let mut output = String::with_capacity(input.len() * 2);
for c in input.chars() {
match c {
'&' => output.push_str("&"),
'<' => output.push_str("<"),
'>' => output.push_str(">"),
'"' => output.push_str("""),
'\'' => output.push_str("'"),
'/' => output.push_str("/"),
// Additional one for old IE (unpatched IE8 and below)
// See https://github.com/OWASP/owasp-java-encoder/wiki/Grave-Accent-Issue
'`' => output.push_str("`"),
_ => output.push(c),
}
}
// Not using shrink_to_fit() on purpose
output
}
#[cfg(test)]
mod tests {
use super::escape_html;
#[test]
fn test_escape_html() {
let tests = vec![
(r"a&b", "a&b"),
(r"<a", "<a"),
(r">a", ">a"),
(r#"""#, """),
(r#"'"#, "'"),
(r#"大阪"#, "大阪"),
];
for (input, expected) in tests {
assert_eq!(escape_html(input), expected);
}
}
}