mirror of
https://github.com/marko-js/marko.git
synced 2025-12-08 19:26:05 +00:00
118 lines
3.0 KiB
JavaScript
118 lines
3.0 KiB
JavaScript
'use strict';
|
|
var extend = require('raptor-util/extend');
|
|
|
|
var STYLE_ATTR = 'style';
|
|
var CLASS_ATTR = 'class';
|
|
var escapeEndingScriptTagRegExp = /<\//g;
|
|
|
|
var escape = require('./escape');
|
|
var escapeXml = escape.escapeXml;
|
|
var escapeXmlAttr = escape.escapeXmlAttr;
|
|
var attrHelper = require('./helper-attr');
|
|
var attrsHelper = require('./helper-attrs');
|
|
|
|
|
|
var classList;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
* Internal method to escape special XML characters
|
|
* @private
|
|
*/
|
|
exports.x = escapeXml;
|
|
/**
|
|
* Internal method to escape special XML characters within an attribute
|
|
* @private
|
|
*/
|
|
exports.xa = escapeXmlAttr;
|
|
|
|
/**
|
|
* Escapes the '</' sequence in the body of a <script> body to avoid the `<script>` being
|
|
* ended prematurely.
|
|
*
|
|
* For example:
|
|
* var evil = {
|
|
* name: '</script><script>alert(1)</script>'
|
|
* };
|
|
*
|
|
* <script>var foo = ${JSON.stringify(evil)}</script>
|
|
*
|
|
* Without escaping the ending '</script>' sequence the opening <script> tag would be
|
|
* prematurely ended and a new script tag could then be started that could then execute
|
|
* arbitrary code.
|
|
*/
|
|
exports.xs = function escapeScriptHelper(val) {
|
|
return (typeof val === 'string') ? val.replace(escapeEndingScriptTagRegExp, '\\u003C/') : val;
|
|
};
|
|
|
|
/**
|
|
* Internal method to render a single HTML attribute
|
|
* @private
|
|
*/
|
|
exports.a = attrHelper;
|
|
|
|
/**
|
|
* Internal method to render multiple HTML attributes based on the properties of an object
|
|
* @private
|
|
*/
|
|
exports.as = attrsHelper;
|
|
|
|
/**
|
|
* Internal helper method to handle the "style" attribute. The value can either
|
|
* be a string or an object with style propertes. For example:
|
|
*
|
|
* sa('color: red; font-weight: bold') ==> ' style="color: red; font-weight: bold"'
|
|
* sa({color: 'red', 'font-weight': 'bold'}) ==> ' style="color: red; font-weight: bold"'
|
|
*/
|
|
exports.sa = function(style) {
|
|
if (!style) {
|
|
return '';
|
|
}
|
|
|
|
if (typeof style === 'string') {
|
|
return attrHelper(STYLE_ATTR, style, false);
|
|
} else if (typeof style === 'object') {
|
|
var parts = [];
|
|
for (var name in style) {
|
|
if (style.hasOwnProperty(name)) {
|
|
var value = style[name];
|
|
if (value) {
|
|
parts.push(name + ':' + value);
|
|
}
|
|
}
|
|
}
|
|
return parts ? attrHelper(STYLE_ATTR, parts.join(';'), false) : '';
|
|
} else {
|
|
return '';
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Internal helper method to handle the "class" attribute. The value can either
|
|
* be a string, an array or an object. For example:
|
|
*
|
|
* ca('foo bar') ==> ' class="foo bar"'
|
|
* ca({foo: true, bar: false, baz: true}) ==> ' class="foo baz"'
|
|
* ca(['foo', 'bar']) ==> ' class="foo bar"'
|
|
*/
|
|
exports.ca = function(classNames) {
|
|
if (!classNames) {
|
|
return '';
|
|
}
|
|
|
|
if (typeof classNames === 'string') {
|
|
return attrHelper(CLASS_ATTR, classNames, false);
|
|
} else {
|
|
return attrHelper(CLASS_ATTR, classList(classNames), false);
|
|
}
|
|
};
|
|
|
|
|
|
|
|
var commonHelpers = require('../helpers');
|
|
classList = commonHelpers.cl;
|
|
extend(exports, commonHelpers); |