Improve HTML and attribute escaping, update CSP config

CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.2.30] - 2026-01-05
+
+### Added
+- Add `escapeAttrName()`
+
+### Changed
+- Refactor HTML escaping
+
+### Deprecated
+- Mark `escapeAttrValue()` as deprecated with warning to use `escape()`
+
 ## [v0.2.29] - 2025-12-23
 
 ### Changed

dom.js

@@ -1,11 +1,30 @@
 import { attachListeners } from '@aegisjsproject/callback-registry/events.js';
-
-const ESCAPED_PATTERN = /&(?![a-zA-Z\d]{2,5};|#\d{1,3};)/g;
-
-export const escapeAttrVal = str => str.toString()
-	// Do not double-escape
-	.replaceAll(ESCAPED_PATTERN, '&')
-	.replaceAll('"', '"');
+export const HTML_UNSAFE_PATTERN = /[<>"']|&(?![a-zA-Z\d]{2,5};|#\d{1,3};)/g;
+/*eslint no-control-regex: "off"*/
+export const ATTR_NAME_UNSAFE_PATTERN = /[\u0000-\u001f\u007f-\u009f\s"'\\/=><&]/g;
+export const HTML_REPLACEMENTS = Object.freeze({
+	'&': '&amp;',
+	'"': '&quot;',
+	'\'': '&apos;',
+	'<': '&lt;',
+	'>': '&gt;',
+});
+
+export const escape = str => (str?.toString?.() ?? '')
+	.replaceAll(HTML_UNSAFE_PATTERN, char => HTML_REPLACEMENTS[char]);
+
+/**
+ *
+ * @param {@deprecated} str
+ * @returns {string}
+ */
+export const escapeAttrVal = str => {
+	console.warn('`escapeAttrVal()` is deprecated. Please use `escape()` instead.');
+	return escape(str);
+};
+
+export const escapeAttrName = str => (str?.toString?.() ?? '')
+	.replace(ATTR_NAME_UNSAFE_PATTERN, char => '_' + char.charCodeAt(0).toString(16).padStart(4, '0') + '_');
 
 export function createAttribute(name, value = '', namespace) {
 	const attr = typeof namespace === 'string'
@@ -17,13 +36,7 @@ export function createAttribute(name, value = '', namespace) {
 	return attr;
 }
 
-export const stringifyAttr = attr => `${attr.name}="${escapeAttrVal(attr.value)}"`;
-
-export const escape = str => str.toString()
-	.replaceAll(ESCAPED_PATTERN, '&amp;')
-	.replaceAll('<', '&lt;')
-	.replaceAll('>', '&gt;')
-	.replaceAll('"', '&quot;');
+export const stringifyAttr = attr => `${escapeAttrName(attr?.name)}="${escape(attr?.value)}"`;
 
 export const getUniqueSelector = (prefix = '_aegis-scope') => `${prefix}-${crypto.randomUUID()}`;
 

http.config.js

@@ -1,7 +1,7 @@
-import { useDefaultCSP, addConnectSrc, addTrustedTypePolicy, lockCSP } from '@aegisjsproject/http-utils/csp.js';
-
+import { useDefaultCSP, addScriptSrc, addConnectSrc, addTrustedTypePolicy, lockCSP } from '@aegisjsproject/http-utils/csp.js';
+addScriptSrc('https://unpkg.com/@shgysk8zer0/', 'https://unpkg.com/@aegisjsproject/');
 addConnectSrc('https://icanhazdadjoke.com/');
-addTrustedTypePolicy('aegis-router#html', 'default');
+addTrustedTypePolicy('aegis-router#html', 'aegis-sanitizer#html', 'default');
 lockCSP();
 
 export default {

index.html

@@ -14,7 +14,7 @@
 		<template id="tmp">
 			<div class="container">
 				<dad-joke></dad-joke>
-				<p>Lorem Ipsum and all that...</p>
+				<p>Lorem Ipsum &amp; all that...</p>
 				Free text...
 			</div>
 		</template>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aegisjsproject/core",
-  "version": "0.2.29",
+  "version": "0.2.30",
   "description": "A fast, secure, modern, light-weight, and simple JS library for creating web components and more!",
   "keywords": [
     "aegis",