dart: Escape HTML in todo rendering

3abb0607 · Pascal Hartig · eec36343 · 3abb0607 · 3abb0607
Commit 3abb0607 authored Jan 16, 2013 by Pascal Hartig
Showing with 15 additions and 2 deletions

architecture-examples/dart/web/dart/TodoWidget.dart architecture-examples/dart/web/dart/TodoWidget.dart +2 -2

architecture-examples/dart/web/dart/app.dart architecture-examples/dart/web/dart/app.dart +13 -0

No files found.
--- a/architecture-examples/dart/web/dart/TodoWidget.dart
+++ b/architecture-examples/dart/web/dart/TodoWidget.dart
@@ -13,10 +13,10 @@ class TodoWidget {
 			<li ${todo.completed ? 'class="completed"' : ''}>
 			<div class='view'>
 			<input class='toggle' type='checkbox' ${todo.completed ? 'checked' : ''}>
-			<label class='todo-content'>${todo.title}</label>
+			<label class='todo-content'>${htmlEscape(todo.title)}</label>
 			<button class='destroy'></button>
 			</div>
-			<input class='edit' value='${todo.title}'>
+			<input class='edit' value='${htmlEscape(todo.title)}'>
 			</li>
 		''');


--- a/architecture-examples/dart/web/dart/app.dart
+++ b/architecture-examples/dart/web/dart/app.dart
@@ -40,3 +40,16 @@ class UUID {
 		return random.nextInt(65536).toRadixString(16);
 	}
 }
+
+/**
+ * Escapes HTML-special characters of [text] so that the result can be
+ * included verbatim in HTML source code, either in an element body or in an
+ * attribute value.
+ */
+String htmlEscape(String text) {
+  return text.replaceAll("&", "&amp;")
+             .replaceAll("<", "&lt;")
+             .replaceAll(">", "&gt;")
+             .replaceAll('"', "&quot;")
+             .replaceAll("'", "&apos;");
+}