📅  最后修改于: 2022-03-11 15:02:32.780000             🧑  作者: Mango
- All usual techniques apply to node.js output as well, which means:
* Blacklists will not work.
* You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
* You're supposed to HTML-escape text in HTML output.
- I'm not sure if node.js comes with some built-in for this, but something like that should do the job:
function htmlEscape(text) {
return text.replace(/&/g, '&').
replace(/
replace(/"/g, '"').
replace(/'/g, ''');
}