Files
prowler/ui/lib/safe-json.ts
Pablo Fernandez Guerra (PFE) 853610bbbf feat(ui): resolve public SaaS config at container runtime (#11500)
Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 15:12:18 +02:00

17 lines
775 B
TypeScript

// Escape a value for an inline <script>. Neutralizes < > & to block the
// </script>/<!-- breakout (the only vector when read as inert JSON), plus the
// U+2028/U+2029 line terminators that JSON.stringify leaves raw, so the output
// is also safe if ever inlined into an executed-JS context. JSON.parse decodes
// all of these back to the original characters.
const LINE_SEPARATOR = new RegExp(String.fromCharCode(0x2028), "g");
const PARAGRAPH_SEPARATOR = new RegExp(String.fromCharCode(0x2029), "g");
export function serializeForScript(value: unknown): string {
return JSON.stringify(value)
.replace(/</g, "\\u003c")
.replace(/>/g, "\\u003e")
.replace(/&/g, "\\u0026")
.replace(LINE_SEPARATOR, "\\u2028")
.replace(PARAGRAPH_SEPARATOR, "\\u2029");
}