microlinkhq
diff --git a/‎packages/metascraper/__snapshots__/xss.js.snap-shot‎
Lines changed: 4 additions & 0 deletions b/‎packages/metascraper/__snapshots__/xss.js.snap-shot‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/metascraper/test/unit/interface.js‎
Lines changed: 28 additions & 0 deletions b/‎packages/metascraper/test/unit/interface.js‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎packages/metascraper/test/unit/xss.js‎
Lines changed: 46 additions & 0 deletions b/‎packages/metascraper/test/unit/xss.js‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎packages/metascraper/test/unit/xss/files/issue-96.html‎
Lines changed: 0 additions & 16 deletions b/‎packages/metascraper/test/unit/xss/files/issue-96.html‎
Lines changed: 0 additions & 16 deletions
diff --git a/‎packages/metascraper/test/unit/xss/xss.js‎
Lines changed: 0 additions & 36 deletions b/‎packages/metascraper/test/unit/xss/xss.js‎
Lines changed: 0 additions & 36 deletions
@@ -0,0 +1,4 @@
+exports['escape when the value is not empty 1'] = {
+  "title": "&lt;script src=‘http://127.0.0.1:8080/malware.js’&gt;&lt;/script&gt;"
+}
+
@@ -28,6 +28,34 @@ it('url is required', async () => {
   }
 })
 
+it('escape is enabled by default', async () => {
+  const html = `
+  <!doctype html>
+  <html xmlns:og="http://ogp.me/ns#" lang="en">
+
+  <head>
+      <meta charset="utf8">
+      <title>metascraper</title>
+      <meta property="og:description" content="The HR startups go to war.">
+      <meta property="og:image" content="image">
+      <meta property="og:title" content="<script src='http://127.0.0.1:8080/malware.js'></script>">
+      <meta property="og:type" content="article">
+      <meta property="og:url" content="http://127.0.0.1:8080">
+  </head>
+
+  <body>
+  </body>
+  </html>
+  `
+
+  const metadata = await metascraper({
+    html: html,
+    url: 'http://127.0.0.1:8080'
+  })
+
+  should(metadata.title).be.equal('<script src=‘http://127.0.0.1:8080/malware.js’></script>')
+})
+
 it('load extra rules', async () => {
   const url = 'https://microlink.io'
 
 
@@ -0,0 +1,46 @@
+'use strict'
+
+const metascraper = require('metascraper')([require('metascraper-title')()])
+const snapshot = require('snap-shot')
+const should = require('should')
+
+const html = `
+<!doctype html>
+<html xmlns:og="http://ogp.me/ns#" lang="en">
+
+<head>
+    <meta charset="utf8">
+    <title>metascraper</title>
+    <meta property="og:description" content="The HR startups go to war.">
+    <meta property="og:image" content="image">
+    <meta property="og:title" content="<script src='http://127.0.0.1:8080/malware.js'></script>">
+    <meta property="og:type" content="article">
+    <meta property="og:url" content="http://127.0.0.1:8080">
+</head>
+
+<body>
+</body>
+</html>
+`
+
+describe('xss', () => {
+  it('explicitily disable escape', async () => {
+    const metadata = await metascraper({
+      html: html,
+      url: 'http://127.0.0.1:8080',
+      escape: false
+    })
+
+    should(metadata.title).be.equal('<script src=‘http://127.0.0.1:8080/malware.js’></script>')
+  })
+
+  it('escape when the value is not empty', async () => {
+    const metadata = await metascraper({
+      html: html,
+      url: 'http://127.0.0.1:8080',
+      escape: true
+    })
+
+    snapshot(metadata)
+  })
+})
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +exports['escape when the value is not empty 1'] = {
 +  "title": "&lt;script src=‘http://127.0.0.1:8080/malware.js’&gt;&lt;/script&gt;"
 +}
++