giles
0366373c8a
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 1m9s
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
25 lines
752 B
Plaintext
25 lines
752 B
Plaintext
;; lib/dream/html.sx — Dream-on-SX HTML escaping for safe templating.
|
|
;; Interpolating user input into HTML without escaping is an XSS hole; dream-escape
|
|
;; neutralises it. Depends on nothing (pure string ops).
|
|
|
|
;; escape text for HTML element content / double-quoted attributes
|
|
(define
|
|
dream-escape
|
|
(fn
|
|
(s)
|
|
(replace
|
|
(replace
|
|
(replace (replace (replace s "&" "&") "<" "<") ">" ">")
|
|
"\""
|
|
""")
|
|
"'"
|
|
"'")))
|
|
|
|
;; build a single attribute: name="escaped-value"
|
|
(define dream-attr (fn (name val) (str name "=\"" (dream-escape val) "\"")))
|
|
|
|
;; join escaped text with a separator, escaping each piece
|
|
(define
|
|
dream-escape-join
|
|
(fn (sep pieces) (join sep (map dream-escape pieces))))
|