;; lib/dream/html.sx — Dream-on-SX HTML escaping for safe templating.
;; Interpolating user input into HTML without escaping is an XSS hole; dream-escape
;; neutralises it. Depends on nothing (pure string ops).

;; escape text for HTML element content / double-quoted attributes
(define
  dream-escape
  (fn
    (s)
    (replace
      (replace
        (replace (replace (replace s "&" "&amp;") "<" "&lt;") ">" "&gt;")
        "\""
        "&quot;")
      "'"
      "&#39;")))

;; build a single attribute: name="escaped-value"
(define dream-attr (fn (name val) (str name "=\"" (dream-escape val) "\"")))

;; join escaped text with a separator, escaping each piece
(define
  dream-escape-join
  (fn (sep pieces) (join sep (map dream-escape pieces))))