Escape user input

6 years ago · 0338b5820d
3 changed files with 5 additions and 2 deletions
--- a/package.json
+++ b/package.json
@ -15,6 +15,7 @@
    "parcel-bundler": "^1.11.0"
  },
  "dependencies": {
    "escape-html": "^1.0.3",
    "modern-normalize": "^0.5.0"
  }
 }
--- a/script.js
+++ b/script.js
@ -1,3 +1,5 @@
 const escape = require('escape-html');
 const badgeLinkUrl = username => `https://tippin.me/@${username}`;
 const badgeImageUrl = username => `https://badgen.net/badge/%E2%9A%A1%EF%B8%8Ftippin.me/@${username}/F0918E`;
@ -11,7 +13,7 @@ const username = document.querySelector('input[name="username"]');
 const badgePreview = document.querySelector('.badge-preview');
 const generateBadge = () => {
-  badgePreview.innerHTML = badgeHtml(username.value);
+  badgePreview.innerHTML = badgeHtml(escape(username.value));
 };
 username.addEventListener('input', generateBadge);
--- a/yarn.lock
+++ b/yarn.lock
@ -1920,7 +1920,7 @@ es-to-primitive@^1.2.0:
    is-date-object "^1.0.1"
    is-symbol "^1.0.2"
-escape-html@~1.0.3:
+escape-html@^1.0.3, escape-html@~1.0.3:
  version "1.0.3"
  resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"
  integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=