feat(store): escape results when fetched

rayrutjes · rayrutjes · commit 61341a9065c8 · 2017-07-21T14:51:20.000+02:00
diff --git a/src/__tests__/store.js b/src/__tests__/store.js
@@ -333,4 +333,38 @@ describe('Store', () => {
 
     expect(store._helper.getPage()).toEqual(4);
   });
+
+  test('should allow to fetch sanitized results', () => {
+    const store = createStore();
+    store._helper.lastResults = {
+      hits: [
+        {
+          objectID: '1',
+          name: 'test',
+          _highlightResult: {
+            name: {
+              value:
+                "__ais-highlight__te__/ais-highlight__st<script>alert('test')</script>",
+              matchLevel: 'full',
+            },
+          },
+        },
+      ],
+    };
+
+    const results = store.results;
+    expect(results).toEqual([
+      {
+        objectID: '1',
+        name: 'test',
+        _highlightResult: {
+          name: {
+            value:
+              '<em>te</em>st&lt;script&gt;alert(&#39;test&#39;)&lt;/script&gt;',
+            matchLevel: 'full',
+          },
+        },
+      },
+    ]);
+  });
 });
diff --git a/src/store.js b/src/store.js
@@ -6,6 +6,8 @@ import {
   unserialize as unserializeHelper,
 } from './helper-serializer';
 
+import sanitizeResults from './sanitize-results';
+
 export const FACET_AND = 'and';
 export const FACET_OR = 'or';
 export const FACET_TREE = 'tree';
@@ -137,7 +139,12 @@ export class Store {
       return [];
     }
 
-    return this._helper.lastResults.hits;
+    return sanitizeResults(
+      this._helper.lastResults.hits,
+      HIGHLIGHT_PRE_TAG,
+      HIGHLIGHT_POST_TAG,
+      'em'
+    );
   }
 
   get page() {
