PHP htmlspecialchars() has an option to turn off double escaping. It would be useful to have this in our JS api since Drupal usually sends escpaed text, but it's possible we would want to harden the ajax to always escape but not double escape for some results.

For example, I think this is a working implementation:

Drupal.checkPlain = function (str, doubleEncode) {
  var character, regex,
      replace = { '&(?!(amp|quot|lt|gt|#0?39);)': '&amp;', '&' : '&amp;', '"': '&quot;', '<': '&lt;', '>': '&gt;' };
  str = String(str);
  // Double encode by default like PHP htmlspecialchars.
  if (doubleEncode || (typeof doubleEncode === 'undefined')) {
    delete replace['&(?!(amp|quot|lt|gt|#0?39);)'];
  }
  else {
    delete replace['&'];
  }
  for (character in replace) {
    console.log(character)
    if (replace.hasOwnProperty(character)) {
      regex = new RegExp(character, 'g');
      str = str.replace(regex, replace[character]);
    }
  }
  return str;
};

Comments

pwolanin created an issue. See original summary.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.