Switched from lodash to builtin escaping scheme

jaytmiller · Mar 26, 2024 · 8d3efda · 8d3efda
1 parent 012b657
commit 8d3efda
Showing 1 changed file with 22 additions and 13 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -3,7 +3,15 @@ import { Widget } from '@lumino/widgets';
 import { IStatusBar } from '@jupyterlab/statusbar';
 import { Dialog, showDialog } from '@jupyterlab/apputils';
 import { ISettingRegistry } from '@jupyterlab/settingregistry';
-import { escape } from 'lodash'; // Or a preferred sanitizer
+
+// ===================================================================================
+
+// Use the browser's built-in functionality to quickly and safely escape the string
+function escapeHtml(html: string): string {
+    var div = document.createElement('div');
+    div.appendChild(document.createTextNode(html));
+    return div.innerHTML;
+}
 
 // ===================================================================================
 
@@ -13,15 +21,15 @@ class Message {
   username: string;
   timestamp: string;
   expires: string;
-  level: Levels;
-  message: string; // Sanitized string
-
-  constructor(username: string, timestamp: string, expires: string, level: Levels, message: string) {
-    this.username = username;
-    this.timestamp = timestamp;
-    this.expires = expires;
-    this.level = level;
-    this.message = message;
+  level: string;
+  message: string; 
+
+  constructor(username: string, timestamp: string, expires: string, level: string, message: string) {
+    this.username = escapeHtml(username);
+    this.timestamp = escapeHtml(timestamp);
+    this.expires = escapeHtml(expires);
+    this.level = escapeHtml(level);
+    this.message = escapeHtml(message);
   }
 
   fmtTimestamp(): string {
@@ -46,7 +54,7 @@ class MessageBlock {
   messages: Message[];
 
   constructor(title: string, messages: Message[]) {
-    this.title = title;
+    this.title = escapeHtml(title);
     this.messages = messages;
   }
 
@@ -92,9 +100,9 @@ class AnnouncementsData {
 function jsonToAnnouncementsData(jsonData: any): AnnouncementsData {
   const blocks = jsonData.blocks.map((blockData: MessageBlock) => {
     const messages = blockData.messages.map((msg: Message) => {
-      return new Message(escape(msg.username), escape(msg.timestamp), escape(msg.expires), msg.level, escape(msg.message));
+      return new Message(msg.username, msg.timestamp, msg.expires, msg.level, msg.message);
     });
-    return new MessageBlock(escape(blockData.title), messages);
+    return new MessageBlock(blockData.title, messages);
   });
   return new AnnouncementsData(jsonData.popup, jsonData.timestamp, blocks);
 }
@@ -194,6 +202,7 @@ class RefreshAnnouncements {
 
       const jsonData = await response.json();
       dlog('jsonData:', jsonData);
+
       if (!isValidAnnouncementsData(jsonData)) {
         dlog('Invalid announcement data.');
         throw new Error('Invalid announcement data');