Misleading name/behavior for escapeHTML: Should denote "use for attribute values"

[mmichaelis]

BBob/packages/bbob-plugin-helper/src/helpers.js

Lines 28 to 39 in 3575982

	/**
	* Replaces " to &qquot;
	* @param {String} value
	*/
	const escapeHTML = (value) => value
	.replace(/&/g, '&')
	.replace(/</g, '&lt;')
	.replace(/>/g, '&gt;')
	.replace(/"/g, '&quot;')
	.replace(/'/g, '&#039;')
	// eslint-disable-next-line no-script-url
	.replace(/(javascript|data|vbscript):/gi, '$1%3A');

The name escapeHTML suggests, that the method may be used to sanitize text-content and get rid of probably malicious nested HTML in BBCode, like [i]<script>javascript:alert("XSS!"</script>[/i]. Unfortunately, the method has an extra turn, to support escaping of probably unsafe href attributes: It also escapes problematic protocols assuming, we are in a URL-context.

Thus, naively reused in custom API the above will escape the text content to:

<script>javascript%3Aalert... (etc.)

The suggestion for clarity is to name the method escapeHTMLAttribute or, as this is considered breaking, at least mention this usage in the JSdoc.

Otherwise, I think the best option for escaping (and I tend to switch to it) is to rely on DOM processing as suggested in #148 (comment).

[JiLiZART]

DOM processing is not possible because this library is isomorphic. But you can escape html attributes in your own plugin using DOM API.
I have ideas to extract this function to separate folder with browser.js and node.js version (using platform API like DOM or node js builtin functions)