update javascript encoding

dashboard-ui/scripts/extensions.js

@@ -1,11 +1,43 @@
-function htmlEncode(value) {
+// Regular Expressions for parsing tags and attributes
-    //create a in-memory div, set it's inner text(which jQuery automatically encodes)
+var SURROGATE_PAIR_REGEXP = /[\uD800-\uDBFF][\uDC00-\uDFFF]/g,
-    //then grab the encoded contents back out.  The div never exists on the page.
+  // Match everything outside of normal chars and " (quote character)
-    return $('<div/>').text(value).html();
+  NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g;
+
+var hiddenPre = document.createElement("pre");
+/**
+ * decodes all entities into regular string
+ * @param value
+ * @returns {string} A string with decoded entities.
+ */
+function htmlDecode(value) {
+    if (!value) { return ''; }
+
+    hiddenPre.innerHTML = value.replace(/</g, "&lt;");
+    // innerText depends on styling as it doesn't display hidden elements.
+    // Therefore, it's better to use textContent not to cause unnecessary reflows.
+    return hiddenPre.textContent;
 }
 
-function htmlDecode(value) {
+/**
-    return $('<div/>').html(value).text();
+ * Escapes all potentially dangerous characters, so that the
+ * resulting string can be safely inserted into attribute or
+ * element text.
+ * @param value
+ * @returns {string} escaped text
+ */
+function htmlEncode(value) {
+    return value.
+      replace(/&/g, '&amp;').
+      replace(SURROGATE_PAIR_REGEXP, function (value) {
+          var hi = value.charCodeAt(0);
+          var low = value.charCodeAt(1);
+          return '&#' + (((hi - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000) + ';';
+      }).
+      replace(NON_ALPHANUMERIC_REGEXP, function (value) {
+          return '&#' + value.charCodeAt(0) + ';';
+      }).
+      replace(/</g, '&lt;').
+      replace(/>/g, '&gt;');
 }
 
 // Array Remove - By John Resig (MIT Licensed)