Escape only < in front-end json (#294)

next-theme · Jun 18, 2021 · 566238d · 566238d
1 parent 81f716d
commit 566238d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 8 deletions.
diff --git a/scripts/helpers/engine.js b/scripts/helpers/engine.js
@@ -41,10 +41,9 @@ hexo.extend.helper.register('next_vendors', function(name) {
 });
 
 hexo.extend.helper.register('next_data', function(name, ...data) {
-  const { escape_html } = this;
   const json = data.length === 1 ? data[0] : Object.assign({}, ...data);
   return `<script class="next-config" data-name="${name}" type="application/json">${
-    escape_html(JSON.stringify(json))
+    JSON.stringify(json).replace(/</g, '\\u003c')
   }</script>`;
 });
 

diff --git a/source/js/config.js b/source/js/config.js
@@ -6,12 +6,7 @@ if (!window.NexT) window.NexT = {};
   const staticConfig = {};
   let variableConfig = {};
 
-  const parse = text => {
-    const jsonString = new DOMParser()
-      .parseFromString(text, 'text/html').documentElement
-      .textContent;
-    return JSON.parse(jsonString || '{}');
-  };
+  const parse = text => JSON.parse(text || '{}');
 
   const update = name => {
     const targetEle = document.querySelector(`.${className}[data-name="${name}"]`);