HugoDF · HugoDF · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024
diff --git a/html-esc.js b/html-esc.js
@@ -12,6 +12,13 @@ const markSafe = (str) =>
 
 function htmlSanitize(rawText = "") {
   if (rawText?.__html_sanitized) return rawText;
+  if (typeof rawText !== "string") {
+    console.error(
+      `Bad interpolated value, expected type "string" received type "${typeof rawText}". Try serializing the value:`,
+      rawText,
+    );
+    rawText = "";
+  }
   return markSafe(esc(rawText));
 }
 

diff --git a/html-esc.test.js b/html-esc.test.js
@@ -42,6 +42,22 @@ test("html - supports interpolation of lists of tagged items", (t) => {
     </ul>`,
   );
 });
+test("html - interpolation of objects is forbidden, console.error but doesn't crash", (t) => {
+  const mockConsoleError = t.mock.method(console, "error", () => {});
+  t.assert.strictEqual(
+    html`<pre>${{ hello: "world <img src='some-url'>" }}</pre>`.valueOf(),
+    `<pre></pre>`,
+  );
+  t.assert.strictEqual(mockConsoleError.mock.callCount(), 1);
+  t.assert.deepStrictEqual(mockConsoleError.mock.calls[0].arguments, [
+    'Bad interpolated value, expected type "string" received type "object". Try serializing the value:',
+    {
+      hello: "world <img src='some-url'>",
+    },
+  ]);
+
+  t.mock.reset();
+});
 test("html - doesn't break on bad payloads", (t) => {
   const badPayload = `"><script>console.log('123')</script>`;
 

diff --git a/package.json b/package.json
@@ -9,7 +9,7 @@
   "scripts": {
     "dev": "node serve.js",
     "test": "node --test --experimental-test-coverage",
-    "lint": "npm run format -- -c",
+    "lint": "npm run format -- -c --no-write",
     "format": "prettier --write './**/*.{js,json,yml,md,html}'"
   },
   "homepage": "https://github.com/HugoDF/html-esc",