diff --git a/src/lib/unescape.js b/src/lib/unescape.js index 213a0f70b..feb255ac0 100644 --- a/src/lib/unescape.js +++ b/src/lib/unescape.js @@ -2,12 +2,15 @@ import assertString from './util/assertString'; export default function unescape(str) { assertString(str); - return (str.replace(/&/g, '&') - .replace(/"/g, '"') + return (str.replace(/"/g, '"') .replace(/'/g, "'") .replace(/</g, '<') .replace(/>/g, '>') .replace(///g, '/') .replace(/\/g, '\\') - .replace(/`/g, '`')); + .replace(/`/g, '`') + .replace(/&/g, '&')); + // & replacement has to be the last one to prevent + // bugs with intermediate strings containing escape sequences + // See: https://github.com/validatorjs/validator.js/issues/1827 } diff --git a/test/sanitizers.js b/test/sanitizers.js index 00ec35ab9..ecb0e128f 100644 --- a/test/sanitizers.js +++ b/test/sanitizers.js @@ -184,6 +184,9 @@ describe('Sanitizers', () => { 'Backtick: `': 'Backtick: `', + + 'Escaped string: &lt;': + 'Escaped string: <', }, }); });