Skip to content

Commit

Permalink
Replace the implementation of escapeTextContentForBrowser with escape…
Browse files Browse the repository at this point in the history
…-html (facebook#6862)

* Replacing the implementation of escapeTextContentForBrowser with escape-html for performance

* Addressing @spicyj's code review comment here: facebook#6862 (comment) . Pulled the code of escape-html in to react and changed the encoding of single quote to &#x27.

* Addressing code review comment facebook#6862 (comment) to make code more inlinable for v8. Thanks, @spicyj.

(cherry picked from commit d6e7058)
  • Loading branch information
aickin authored and zpao committed Jun 8, 2016
1 parent 763605b commit c1ccb26
Showing 1 changed file with 94 additions and 12 deletions.
106 changes: 94 additions & 12 deletions src/renderers/dom/shared/escapeTextContentForBrowser.js
Original file line number Diff line number Diff line change
@@ -1,29 +1,105 @@
/**
* Copyright 2013-present, Facebook, Inc.
* Copyright 2016-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*
* Based on the escape-html library, which is used under the MIT License below:
*
* Copyright (c) 2012-2013 TJ Holowaychuk
* Copyright (c) 2015 Andreas Lubbe
* Copyright (c) 2015 Tiancheng "Timothy" Gu
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* 'Software'), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*
* @providesModule escapeTextContentForBrowser
*/

'use strict';

var ESCAPE_LOOKUP = {
'&': '&',
'>': '>',
'<': '&lt;',
'"': '&quot;',
'\'': '&#x27;',
};
// code copied and modified from escape-html
/**
* Module variables.
* @private
*/

var matchHtmlRegExp = /["'&<>]/;

/**
* Escape special characters in the given string of html.
*
* @param {string} string The string to escape for inserting into HTML
* @return {string}
* @public
*/

function escapeHtml(string) {
var str = '' + string;
var match = matchHtmlRegExp.exec(str);

if (!match) {
return str;
}

var ESCAPE_REGEX = /[&><"']/g;
var escape;
var html = '';
var index = 0;
var lastIndex = 0;

function escaper(match) {
return ESCAPE_LOOKUP[match];
for (index = match.index; index < str.length; index++) {
switch (str.charCodeAt(index)) {
case 34: // "
escape = '&quot;';
break;
case 38: // &
escape = '&amp;';
break;
case 39: // '
escape = '&#x27;'; // modified from escape-html; used to be '&#39'
break;
case 60: // <
escape = '&lt;';
break;
case 62: // >
escape = '&gt;';
break;
default:
continue;
}

if (lastIndex !== index) {
html += str.substring(lastIndex, index);
}

lastIndex = index + 1;
html += escape;
}

return lastIndex !== index
? html + str.substring(lastIndex, index)
: html;
}
// end code copied and modified from escape-html


/**
* Escapes text to prevent scripting attacks.
Expand All @@ -32,7 +108,13 @@ function escaper(match) {
* @return {string} An escaped string.
*/
function escapeTextContentForBrowser(text) {
return ('' + text).replace(ESCAPE_REGEX, escaper);
if (typeof text === 'boolean' || typeof text === 'number') {
// this shortcircuit helps perf for types that we know will never have
// special characters, especially given that this function is used often
// for numeric dom ids.
return '' + text;
}
return escapeHtml(text);
}

module.exports = escapeTextContentForBrowser;

0 comments on commit c1ccb26

Please sign in to comment.