fix(xss): remove the escape logic

mydearxym · mydearxym · commit c0739c3c7cf3 · 2019-07-09T21:17:11.000+08:00
diff --git a/lib/helper/html.ex b/lib/helper/html.ex
@@ -30,5 +30,8 @@ defmodule Helper.HTML do
   # end
   # end
 
-  defp escape_to_safe_string(v), do: v |> HTML.html_escape() |> HTML.safe_to_string()
+  # defp escape_to_safe_string(v), do: v |> HTML.html_escape() |> HTML.safe_to_string()
+  defp escape_to_safe_string(v), do: v
+
+  # defp escape_to_safe_string(v), do: v |> HTML.javascript_escape # HTML.html_escape() |> HTML.safe_to_string()
 end
diff --git a/test/support/assert_helper.ex b/test/support/assert_helper.ex
@@ -24,7 +24,8 @@ defmodule GroupherServer.Test.AssertHelper do
   def assert_v(:xss_string), do: "<script>alert(\"hello,world\")</script>"
 
   def assert_v(:xss_safe_string),
-    do: "&lt;script&gt;alert(&quot;hello,world&quot;)&lt;/script&gt;"
+    # "&lt;script&gt;alert(&quot;hello,world&quot;)&lt;/script&gt;"
+    do: "<script>alert(\"hello,world\")</script>"
 
   def is_valid_kv?(obj, key, :list) when is_map(obj) do
     obj = map_key_stringify(obj)
