From f847b98972e463a43300d670e0152de3a46e9f68 Mon Sep 17 00:00:00 2001
From: Amio <amio.cn@gmail.com>
Date: Thu, 30 Aug 2018 16:02:43 +0800
Subject: [PATCH] fix: sanitize text strings

---
 lib/index.js                                           | 4 ++++
 preview/preview.md                                     | 4 ++++
 tap-snapshots/test-calc-text-width.spec.js-TAP.test.js | 4 ++++
 test/calc-text-width.spec.js                           | 5 +++++
 4 files changed, 17 insertions(+)

diff --git a/lib/index.js b/lib/index.js
index d0a19d6..f6f5f96 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -1,5 +1,6 @@
 const calcWidth = require('./calc-text-width.js').Verdana110
 const colorPresets = require('./color-presets.js')
+const sanitize = str => str.replace(/\u0026/g, '&amp;').replace(/\u003C/g, '&lt;')
 
 module.exports = ({ subject, status, color, style, icon, iconWidth = 13 }) => {
   typeAssert(typeof subject === 'string', '<subject> must be string')
@@ -15,6 +16,9 @@ module.exports = ({ subject, status, color, style, icon, iconWidth = 13 }) => {
   const width = sbRectWidth + stRectWidth
   const xlink = icon ? ' xmlns:xlink="http://www.w3.org/1999/xlink"' : ''
 
+  subject = sanitize(subject)
+  status = sanitize(status)
+
   if (style === 'flat') {
     return `<svg width="${width / 10}" height="20" viewBox="0 0 ${width} 200" xmlns="http://www.w3.org/2000/svg"${xlink}>
   <g>
diff --git a/preview/preview.md b/preview/preview.md
index 67bbe29..56f8a7c 100644
--- a/preview/preview.md
+++ b/preview/preview.md
@@ -47,3 +47,7 @@
 | ![](http://localhost:3000//badge?icon=1) | [//badge?icon=1](http://localhost:3000//badge?icon=1)
 | ![](/icon/badge?icon=1) | [/icon/badge?icon=1](/icon/badge?icon=1)
 | ![](/icon/badge?icon=1&style=flat) | [/icon/badge?icon=1&style=flat](/icon/badge?icon=1&style=flat)
+
+## Edge Cases
+
+![](/<{[(&)]}>/<{[(&)]}>)
diff --git a/tap-snapshots/test-calc-text-width.spec.js-TAP.test.js b/tap-snapshots/test-calc-text-width.spec.js-TAP.test.js
index ee2425d..3cb0da7 100644
--- a/tap-snapshots/test-calc-text-width.spec.js-TAP.test.js
+++ b/tap-snapshots/test-calc-text-width.spec.js-TAP.test.js
@@ -13,6 +13,10 @@ exports[`test/calc-text-width.spec.js TAP calc width for unicode > result is cor
 550
 `
 
+exports[`test/calc-text-width.spec.js TAP calc width for special chars > result is correct 1`] = `
+600
+`
+
 exports[`test/calc-text-width.spec.js TAP calc width for emojis > result is correct 1`] = `
 330
 `
diff --git a/test/calc-text-width.spec.js b/test/calc-text-width.spec.js
index 4757754..b9032d5 100644
--- a/test/calc-text-width.spec.js
+++ b/test/calc-text-width.spec.js
@@ -18,6 +18,11 @@ tap.test('calc width for unicode', t => {
   t.end()
 })
 
+tap.test('calc width for special chars', t => {
+  t.matchSnapshot(calcWidth('<{[(&)]}>'), 'result is correct')
+  t.end()
+})
+
 tap.test('calc width for accented characters', t => {
   t.ok(calcWidth('i') === calcWidth('ï'), 'i and ï have the same width')
   t.ok(calcWidth('e') === calcWidth('é'), 'e and é have the same width')