Merge pull request #398 from passy/dart-escaping

dart: Escape HTML in todo rendering

architecture-examples/dart/web/dart/TodoWidget.dart

@@ -13,10 +13,10 @@ class TodoWidget {
 			<li ${todo.completed ? 'class="completed"' : ''}>
 			<div class='view'>
 			<input class='toggle' type='checkbox' ${todo.completed ? 'checked' : ''}>
-			<label class='todo-content'>${todo.title}</label>
+			<label class='todo-content'>${htmlEscape(todo.title)}</label>
 			<button class='destroy'></button>
 			</div>
-			<input class='edit' value='${todo.title}'>
+			<input class='edit' value='${htmlEscape(todo.title)}'>
 			</li>
 		''');
 

architecture-examples/dart/web/dart/app.dart

@@ -40,3 +40,16 @@ class UUID {
 		return random.nextInt(65536).toRadixString(16);
 	}
 }
+
+/**
+ * Escapes HTML-special characters of [text] so that the result can be
+ * included verbatim in HTML source code, either in an element body or in an
+ * attribute value.
+ */
+String htmlEscape(String text) {
+  return text.replaceAll("&", "&")
+             .replaceAll("<", "&lt;")
+             .replaceAll(">", "&gt;")
+             .replaceAll('"', "&quot;")
+             .replaceAll("'", "&apos;");
+}