From 888af9543cb9b632b0671284771ca6a82aed47dd Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Mon, 25 Sep 2023 16:31:54 +0200
Subject: escape dangerous strings inside javascript, including env =

---
 it_html.class  | 2 ++
 test/it_html.t | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/it_html.class b/it_html.class
index 58784cf..716e066 100644
--- a/it_html.class
+++ b/it_html.class
@@ -561,6 +561,8 @@ static function U(...$args)
  */
 function js($args)
 {
+	$args = it::map(fn($v) => it::replace(['<!--' => '\\x3C!--', '<script' => '\\x3Cscript', '</script' => '\\x3C/script'], $v), $args);
+
 	if (($this->p['htmltype'][0] == 'x') && $args[0] && ((array)$args[0] === array_values((array)$args[0])))
 	{
 		array_unshift($args, "<!--//--><![CDATA[//><!--\n");
diff --git a/test/it_html.t b/test/it_html.t
index ae11ad1..e6477da 100755
--- a/test/it_html.t
+++ b/test/it_html.t
@@ -288,3 +288,5 @@ is(it_html::entity_decode("&#8217;"), "'", "it_html::entity_decode numeric decim
 is(it_html::entity_decode("&#xfff;"), " ", "it_html::entity_decode invalid numeric hex entity");
 is(it_html::entity_decode("&#999;"),  " ", "it_html::entity_decode invalid numeric decimal entity");
 is(it_html::entity_decode("&#x8b;"),   " ", "it_html::entity_decode entity von 0x80-0x9f");
+
+is(js('<SCriPT> </script> </SCriPT> <!--'), "<script type=\"text/javascript\">\\x3Cscript> \\x3C/script> \\x3C/script> \\x3C!--</script>\n", "escape dangerous js content");
-- 
cgit v1.2.3