Replace Deprecated espace Function with Custom HTML Escaping Implementation #3872
Description
Describe the feature
Replace the deprecated escape function call with a custom implementation for HTML escaping. This could involve introducing a utility function like the following to handle HTML entity escaping securely:
export function escapeHtml(unsafe: string): string {
return unsafe
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}The feature should integrate this custom escaping logic into the places where escape is currently used, ensuring that all HTML output is properly sanitized.
Why is this feature necessary?
The escape function is deprecated in modern JavaScript environments, which could lead to compatibility issues or security vulnerabilities in the future if not addressed. By implementing a custom, standards-compliant HTML escaping function, the library can maintain robust protection against XSS attacks while removing dependencies on deprecated APIs.
Describe alternatives you've considered
- Continuing to use the deprecated
escapefunction as long as its supported, but this risks future breakage when browser support is dropped. - Relying on external libraries like
heorlodash.escapeorcore-js, but this adds unnecessary dependencies for a core functionality. - Manual string replacements in specific locations, but centralizing the logic in a reusable function improves maintainability.
This change would help future-proof the codebase and align with best practices for HTML sanitization.
Note that I could make a PR but I don't have the time for it at the moment.