var express = require('express'); var app = express(); function escapeHtml1(string) { var str = "" + string; let escape; let html = ''; let lastIndex = 0; for (let index = 0; index < str.length; index++) { switch (str.charCodeAt(index)) { case 34: // " escape = '"'; break; case 38: // & escape = '&'; break; case 39: // ' escape = '''; break; case 60: // < escape = '<'; break; case 62: // > escape = '>'; break; default: continue; } if (lastIndex !== index) { html += str.substring(lastIndex, index); } lastIndex = index + 1; html += escape; } return lastIndex !== index ? html + str.substring(lastIndex, index) : html; } function escapeHtml2(s) { var buf = ""; while (i < s.length) { var ch = s[i++]; switch (ch) { case '&': buf += '&'; break; case '<': buf += '<'; break; case '\"': buf += '"'; break; default: buf += ch; break; } } return buf; } function escapeHtml3(value) { var i = 0; var XMLChars = { AMP: 38, // "&" QUOT: 34, // "\"" LT: 60, // "<" GT: 62, // ">" }; var parts = [value.substring(0, i)]; while (i < length) { switch (ch) { case XMLChars.AMP: parts.push('&'); break; case XMLChars.QUOT: parts.push('"'); break; case XMLChars.LT: parts.push('<'); break; case XMLChars.GT: parts.push('>'); break; } ++i; var j = i; while (i < length) { ch = value.charCodeAt(i); if (ch === XMLChars.AMP || ch === XMLChars.QUOT || ch === XMLChars.LT || ch === XMLChars.GT) { break; } i++; } if (j < i) { parts.push(value.substring(j, i)); } } return parts.join(''); } function escapeHtml4(s) { var buf = ""; while (i < s.length) { var ch = s.chatAt(i++); switch (ch) { case '&': buf += '&'; break; case '<': buf += '<'; break; case '\"': buf += '"'; break; default: buf += ch; break; } } return buf; } app.get('/user/:id', function (req, res) { const url = req.params.id; res.send(escapeHtml1(url)); // OK res.send(escapeHtml2(url)); // OK res.send(escapeHtml3(url)); // OK - but FP [INCONSISTENCY] res.send(escapeHtml4(url)); // OK });