Merge pull request #77 from gchq/bug-html-entities

Fixed double encoding of HTML entities.

src/html/index.html

@@ -22,7 +22,7 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <meta charset="UTF-8">
         <title>CyberChef</title>
         
         <meta name="copyright" content="Crown Copyright 2016" />

src/js/core/Utils.js

@@ -901,20 +901,30 @@ var Utils = {
 
 
     /**
-     * Escapes HTML tags in a string to stop them being rendered
+     * Escapes HTML tags in a string to stop them being rendered.
+     * https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
      *
      * @param {string} str
      * @returns string
      *
      * @example
-     * // return "A <script> tag"
+     * // return "A <script> tag"
      * Utils.escapeHtml("A <script> tag");
      */
     escapeHtml: function(str) {
-        return str.replace(/</g, "&lt;")
-                  .replace(/'/g, "&apos;")
-                  .replace(/"/g, "&quot;")
-                  .replace(/&/g, "&amp;");
+        var HTML_CHARS = {
+            "&": "&amp;",
+            "<": "&lt;",
+            ">": "&gt;",
+            '"': "&quot;",
+            "'": "&#x27;", // &apos; not recommended because it's not in the HTML spec
+            "/": "&#x2F;", // forward slash is included as it helps end an HTML entity
+            "`": "&#x60;"
+        };
+
+        return str.replace(/[&<>"'\/`]/g, function (match) {
+            return HTML_CHARS[match];
+        });
     },
 
 

src/static/stats.txt

@@ -1,9 +1,9 @@
-212	source files
-115641	lines
+211	source files
+115651	lines
 4.3M	size
 
 142	JavaScript source files
-106451	lines
+106461	lines
 3.8M	size
 
 83	third party JavaScript source files
@@ -11,7 +11,7 @@
 3.0M	size
 
 59	first party JavaScript source files
-20193	lines
+20203	lines
 752K	size
 
 3.5M	uncompressed JavaScript size