ElliotChong · December 29, 2015 14:49
diff --git a/OUTPUT.md b/OUTPUT.md
diff --git a/sanitizeHTML.js b/sanitizeHTML.js
 var tests = [
 	"Bar",
 	"A <p>Baz!</p> B",
 	"<p>Foo</p> <script> a < b; </script> <span>Blam!</span>",
 	"<p>Foo</p> <script type='text/javascript'> a < b || c > d; </script> <span>Blam!</span>",
 	"D <p>Foo</p> <script type='text/javascript'>$('body').append('<' + 'script> a < b; <' + '/script>');</script> <span>Blam!</span> F <b>O</b>",
 	"D <p>Foo</p> <script><![CDATA[ $('body').append('<script> a < b; </script>'); ]]></script> <span>Blam!</span> F <b>O</b>",
 	"D <p>Foo</p> <script type='text/javascript' ><![CDATA[ $('body').append('<script> a < b; </script>'); ]]></script> <span>Blam!</span> F <b>O</b>",
 	"<script type='text/javascript' > a < b || c > d; </script>",
 	"<script > a < b || c > d; </script>"
 ];

 var expected = [
 	"Bar",
 	"A &lt;p&gt;Baz!&lt;/p&gt; B",
 	"&lt;p&gt;Foo&lt;/p&gt; &lt;script&gt; a < b; &lt;/script&gt; &lt;span&gt;Blam!&lt;/span&gt;",
 	"&lt;p&gt;Foo&lt;/p&gt; &lt;script type='text/javascript'&gt; a < b || c > d; &lt;/script&gt; &lt;span&gt;Blam!&lt;/span&gt;",
 	"D &lt;p&gt;Foo&lt;/p&gt; &lt;script type='text/javascript'&gt;$('body').append('<' + 'script> a < b; <' + '/script>');&lt;/script&gt; &lt;span&gt;Blam!&lt;/span&gt; F &lt;b&gt;O&lt;/b&gt;",
 	"D &lt;p&gt;Foo&lt;/p&gt; &lt;script&gt;<![CDATA[ $('body').append('<script> a < b; </script>'); ]]>&lt;/script&gt; &lt;span&gt;Blam!&lt;/span&gt; F &lt;b&gt;O&lt;/b&gt;",
 	"D &lt;p&gt;Foo&lt;/p&gt; &lt;script type='text/javascript' &gt;<![CDATA[ $('body').append('<script> a < b; </script>'); ]]>&lt;/script&gt; &lt;span&gt;Blam!&lt;/span&gt; F &lt;b&gt;O&lt;/b&gt;",
 	"&lt;script type='text/javascript' &gt; a < b || c > d; &lt;/script&gt;",
 	"&lt;script &gt; a < b || c > d; &lt;/script&gt;"
 ];

 // Caching the RegExps to avoid instantiating on each sanitize() call
 var sanitizeRegExps = {
 	containsScriptWithBracket: /(<\s*script.*>.*(<|>)+.*<\s*\/\s*script\s*>)/,
 	isScript: /(<\s*script.*>)|(<\s*\/\s*script\s*>)/,
 	splitOnScript: /(<\s*script.*>.*<\s*\/\s*script\s*>)/,
 	splitOnFirstScript: /^(<\s*script)/,
 	splitOnLastScript: /(<\s*\/\s*script\s*>$)/,
 	lt: /</g,
 	gt: />/g
 };

 function sanitize(p_string)
 {
 	function replaceBrackets(p_string)
 	{
 		return p_string.replace(sanitizeRegExps.lt, '&lt;').replace(sanitizeRegExps.gt, '&gt;');
 	}

 	if (sanitizeRegExps.containsScriptWithBracket.test(p_string))
 	{
 		var modified = "";

 		p_string.split(sanitizeRegExps.splitOnScript).forEach(
 			function (p_split)
 			{
 				if (!sanitizeRegExps.isScript.test(p_split))
 				{
 					modified += replaceBrackets(p_split);
 				}
 				else
 				{
 					var splits = p_split.split(sanitizeRegExps.splitOnFirstScript);

 					// This shouldn't ever happen, but just incase there is some browser inconsistency or something...
 					if (splits.length !== 3)
 					{
 						console.warn("Unexpected <script> string passed, defaulting to sanitizing it.\n", splits);
 						return modified += replaceBrackets(p_split);
 					}

 					modified += replaceBrackets(splits[1]);
 					scriptEndIndex = splits[2].indexOf(">") + 1;
 					modified += replaceBrackets(splits[2].slice(0, scriptEndIndex));
 					splits = splits[2].slice(scriptEndIndex).split(sanitizeRegExps.splitOnLastScript);
 					modified += splits[0];
 					modified += replaceBrackets(splits[1]);
 				}
 			}
 		);

 		return modified;
 	}
 	else
 	{
 		return replaceBrackets(p_string);
 	}
 }

 tests.forEach(
 	function (p_value, p_index)
 	{
 		var sanitized = sanitize(p_value);
 		if (sanitized != expected[p_index])
 		{
 			console.log("✘\t", sanitized, "\n");
 		}
 		else
 		{
 			console.log("✓\t", sanitized, "\n");
 		}
 	}
 );
	var tests = [
	"Bar",
	"A <p>Baz!</p> B",
	"<p>Foo</p> <script> a < b; </script> <span>Blam!</span>",
	"<p>Foo</p> <script type='text/javascript'> a < b \|\| c > d; </script> <span>Blam!</span>",
	"D <p>Foo</p> <script type='text/javascript'>$('body').append('<' + 'script> a < b; <' + '/script>');</script> <span>Blam!</span> F <b>O</b>",
	"D <p>Foo</p> <script><![CDATA[ $('body').append('<script> a < b; </script>'); ]]></script> <span>Blam!</span> F <b>O</b>",
	"D <p>Foo</p> <script type='text/javascript' ><![CDATA[ $('body').append('<script> a < b; </script>'); ]]></script> <span>Blam!</span> F <b>O</b>",
	"<script type='text/javascript' > a < b \|\| c > d; </script>",
	"<script > a < b \|\| c > d; </script>"
	];

	var expected = [
	"Bar",
	"A <p>Baz!</p> B",
	"<p>Foo</p> <script> a < b; </script> <span>Blam!</span>",
	"<p>Foo</p> <script type='text/javascript'> a < b \|\| c > d; </script> <span>Blam!</span>",
	"D <p>Foo</p> <script type='text/javascript'>$('body').append('<' + 'script> a < b; <' + '/script>');</script> <span>Blam!</span> F <b>O</b>",
	"D <p>Foo</p> <script><![CDATA[ $('body').append('<script> a < b; </script>'); ]]></script> <span>Blam!</span> F <b>O</b>",
	"D <p>Foo</p> <script type='text/javascript' ><![CDATA[ $('body').append('<script> a < b; </script>'); ]]></script> <span>Blam!</span> F <b>O</b>",
	"<script type='text/javascript' > a < b \|\| c > d; </script>",
	"<script > a < b \|\| c > d; </script>"
	];

	// Caching the RegExps to avoid instantiating on each sanitize() call
	var sanitizeRegExps = {
	containsScriptWithBracket: /(<\sscript.>.(<\|>)+.<\s\/\sscript\s*>)/,
	isScript: /(<\sscript.>)\|(<\s\/\sscript\s*>)/,
	splitOnScript: /(<\sscript.>.<\s\/\sscript\s>)/,
	splitOnFirstScript: /^(<\s*script)/,
	splitOnLastScript: /(<\s\/\sscript\s*>$)/,
	lt: /</g,
	gt: />/g
	};

	function sanitize(p_string)
	{
	function replaceBrackets(p_string)
	{
	return p_string.replace(sanitizeRegExps.lt, '<').replace(sanitizeRegExps.gt, '>');
	}

	if (sanitizeRegExps.containsScriptWithBracket.test(p_string))
	{
	var modified = "";

	p_string.split(sanitizeRegExps.splitOnScript).forEach(
	function (p_split)
	{
	if (!sanitizeRegExps.isScript.test(p_split))
	{
	modified += replaceBrackets(p_split);
	}
	else
	{
	var splits = p_split.split(sanitizeRegExps.splitOnFirstScript);

	// This shouldn't ever happen, but just incase there is some browser inconsistency or something...
	if (splits.length !== 3)
	{
	console.warn("Unexpected <script> string passed, defaulting to sanitizing it.\n", splits);
	return modified += replaceBrackets(p_split);
	}

	modified += replaceBrackets(splits[1]);
	scriptEndIndex = splits[2].indexOf(">") + 1;
	modified += replaceBrackets(splits[2].slice(0, scriptEndIndex));
	splits = splits[2].slice(scriptEndIndex).split(sanitizeRegExps.splitOnLastScript);
	modified += splits[0];
	modified += replaceBrackets(splits[1]);
	}
	}
	);

	return modified;
	}
	else
	{
	return replaceBrackets(p_string);
	}
	}

	tests.forEach(
	function (p_value, p_index)
	{
	var sanitized = sanitize(p_value);
	if (sanitized != expected[p_index])
	{
	console.log("✘\t", sanitized, "\n");
	}
	else
	{
	console.log("✓\t", sanitized, "\n");
	}
	}
	);