Adding Unencode() HTML Function

Author: Brandon Marick

CHANGELOG.md

@@ -1,5 +1,7 @@
 #### HEAD
 
+- Added a `unescape()` HTML function
+  ([#509](https://github.com/chriso/validator.js/pull/509))
 - Added a Malaysian locale to `isMobilePhone()`
   ([#507](https://github.com/chriso/validator.js/pull/507))
 - Added Polish locales to `isAlpha()` and `isAlphanumeric()`

README.md

@@ -101,6 +101,7 @@ Passing anything other than a string is an error.
 
 - **blacklist(input, chars)** - remove characters that appear in the blacklist. The characters are used in a RegExp and so you will need to escape some chars, e.g. `blacklist(input, '\\[\\]')`.
 - **escape(input)** - replace `<`, `>`, `&`, `'`, `"` and `/` with HTML entities.
+- **unescape(input)** - replaces HTML encoded entities with `<`, `>`, `&`, `'`, `"` and `/`.
 - **ltrim(input [, chars])** - trim characters from the left-side of the input.
 - **normalizeEmail(email [, options])** - canonicalize an email address. `options` is an object which defaults to `{ lowercase: true, remove_dots: true, remove_extension: true }`. With `lowercase` set to `true`, the local part of the email address is lowercased for all domains; the hostname is always lowercased and the local part of the email address is always lowercased for hosts that are known to be case-insensitive (currently only GMail). Normalization follows special rules for known providers: currently, GMail addresses have dots removed in the local part and are stripped of extensions (e.g. `some.one+extension@gmail.com` becomes `someone@gmail.com`) and all `@googlemail.com` addresses are normalized to `@gmail.com`.
 - **rtrim(input [, chars])** - trim characters from the right-side of the input.

index.js

@@ -208,6 +208,10 @@ var _escape = require('./lib/escape');
 
 var _escape2 = _interopRequireDefault(_escape);
 
+var _unescape = require('./lib/unescape');
+
+var _unescape2 = _interopRequireDefault(_unescape);
+
 var _stripLow = require('./lib/stripLow');
 
 var _stripLow2 = _interopRequireDefault(_stripLow);
@@ -262,7 +266,7 @@ var validator = {
   isISO8601: _isISO2.default,
   isBase64: _isBase2.default,
   ltrim: _ltrim2.default, rtrim: _rtrim2.default, trim: _trim2.default,
-  escape: _escape2.default, stripLow: _stripLow2.default,
+  escape: _escape2.default, unescape: _unescape2.default, stripLow: _stripLow2.default,
   whitelist: _whitelist2.default, blacklist: _blacklist2.default,
   isWhitelisted: _isWhitelisted2.default,
   normalizeEmail: _normalizeEmail2.default,

lib/unescape.js

@@ -0,0 +1,18 @@
+'use strict';
+
+Object.defineProperty(exports, "__esModule", {
+      value: true
+});
+exports.default = unescape;
+
+var _assertString = require('./util/assertString');
+
+var _assertString2 = _interopRequireDefault(_assertString);
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+function unescape(str) {
+      (0, _assertString2.default)(str);
+      return str.replace(/&amp;/g, '&').replace(/&quot;/g, '"').replace(/&#x27;/g, "'").replace(/&lt;/g, '<').replace(/&gt;/g, '>').replace(/&#x2F;/g, '\/').replace(/&#96;/g, '\`');
+}
+module.exports = exports['default'];

src/index.js

@@ -69,6 +69,7 @@ import ltrim from './lib/ltrim';
 import rtrim from './lib/rtrim';
 import trim from './lib/trim';
 import escape from './lib/escape';
+import unescape from './lib/unescape';
 import stripLow from './lib/stripLow';
 import whitelist from './lib/whitelist';
 import blacklist from './lib/blacklist';
@@ -104,7 +105,7 @@ const validator = {
   isISO8601,
   isBase64,
   ltrim, rtrim, trim,
-  escape, stripLow,
+  escape, unescape, stripLow,
   whitelist, blacklist,
   isWhitelisted,
   normalizeEmail,

src/lib/unescape.js

@@ -0,0 +1,12 @@
+import assertString from './util/assertString';
+
+export default function unescape(str) {
+  assertString(str);
+  return (str.replace(/&/g, '&')
+        .replace(/"/g, '"')
+        .replace(/'/g, "'")
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&#x2F;/g, '\/')
+        .replace(/&#96;/g, '\`'));
+}

test/sanitizers.js

@@ -134,6 +134,22 @@ describe('Sanitizers', function () {
     });
   });
 
+  it('should unescape HTML', function () {
+    test({
+      sanitizer: 'unescape',
+      expect: {
+        '<script> alert("xss&fun"); </script>':
+             '<script> alert("xss&fun"); </script>',
+
+        '&lt;script&gt; alert(&#x27;xss&amp;fun&#x27;); &lt;&#x2F;script&gt;':
+            "<script> alert('xss&fun'); </script>",
+
+        'Backtick: &#96;':
+            'Backtick: `',
+      },
+    });
+  });
+
   it('should remove control characters (<32 and 127)', function () {
     // Check basic functionality
     test({

validator.js

@@ -981,6 +981,11 @@
             return str.replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/'/g, '&#x27;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/\//g, '&#x2F;').replace(/\`/g, '&#96;');
       }
 
+      function unescape(str) {
+            assertString(str);
+            return str.replace(/&amp;/g, '&').replace(/&quot;/g, '"').replace(/&#x27;/g, "'").replace(/&lt;/g, '<').replace(/&gt;/g, '>').replace(/&#x2F;/g, '\/').replace(/&#96;/g, '\`');
+      }
+
       function blacklist(str, chars) {
         assertString(str);
         return str.replace(new RegExp('[' + chars + ']+', 'g'), '');
@@ -1066,7 +1071,7 @@
         isISO8601: isISO8601,
         isBase64: isBase64,
         ltrim: ltrim, rtrim: rtrim, trim: trim,
-        escape: escape, stripLow: stripLow,
+        escape: escape, unescape: unescape, stripLow: stripLow,
         whitelist: whitelist, blacklist: blacklist,
         isWhitelisted: isWhitelisted,
         normalizeEmail: normalizeEmail,