quoteAttributeValueForBrowser wraps the html-escaped string with double quotes.
escapeTextContentForBrowser escapes ["'&<>] html strings, and both boolean and numeric types will be converted to string format.
quoteAttributeValueForBrowser.js
'use strict'; // Boolean and numeric types are converted into strings and output; the strings are html converted and processed character by character ["'&<>] var escapeTextContentForBrowser = require('./escapeTextContentForBrowser'); // The transcoded string is wrapped in quotes function quoteAttributeValueForBrowser(value) { return '"' + escapeTextContentForBrowser(value) + '"'; } module.exports = quoteAttributeValueForBrowser;
escapeTextContentForBrowser.js
'use strict'; // Exclude ["'&<>], skip transcoding var matchHtmlRegExp = /["'&<>]/; // transcode the string character by character function escapeHtml(string) { var str = '' + string; var match = matchHtmlRegExp.exec (str); if (!match) { return str; } var escape; var html = ''; var index = 0; var lastIndex = 0; for (index = match.index; index < str.length; index++) { switch (str.charCodeAt(index)) { case 34: // " escape = '"'; break; case 38: // & escape = '&'; break; case 39: // ' escape = '''; // modified from escape-html; used to be ''' break; case 60: // < escape = '<'; break; case 62: // > escape = '>'; break; default: continue; } if (lastIndex !== index) { html += str.substring(lastIndex, index); } lastIndex = index + 1; html += escape; } return lastIndex !== index ? html + str.substring(lastIndex, index) : html; } // Boolean and numeric types are converted into strings and output; the strings are html converted and processed character by character ["'&<>] function escapeTextContentForBrowser(text) { if (typeof text === 'boolean' || typeof text === 'number') { return '' + text; } return escapeHtml(text); } module.exports = escapeTextContentForBrowser;