escape closing tags

.travis.yml

@@ -2,7 +2,8 @@ language: node_js
 os:
  - linux
 node_js:
-  - "11"
+  - "13"
+  - "12"
   - "10"
   - "8"
   - "6"
@@ -14,7 +15,7 @@ before_install:
   - 'nvm install-latest-npm'
 install:
   - 'if [ "${TRAVIS_NODE_VERSION}" = "0.6" ]; then nvm install --latest-npm 0.8 && npm install && nvm use "${TRAVIS_NODE_VERSION}"; else npm install; fi;'
-  - 'npm ls > /dev/null'
+  - 'npm prune && npm ls' # > /dev/null'
 script:
   - 'if [ -n "${PRETEST-}" ]; then npm run pretest ; fi'
   - 'if [ -n "${POSTTEST-}" ]; then npm run posttest ; fi'
@@ -31,6 +32,4 @@ matrix:
     - node_js: "lts/*"
       env: COVERAGE=true
   allow_failures:
-    - node_js: "iojs"
-    - node_js: "0.12"
     - node_js: "0.10"

package.json

@@ -52,24 +52,24 @@
     "babel-preset-airbnb": "^2.5.3",
     "chai": "^4.2.0",
     "cheerio": "^1.0.0-rc.3",
-    "eslint": "^5.16.0",
-    "eslint-config-airbnb-base": "^13.1.0",
+    "eslint": "^6.8.0",
+    "eslint-config-airbnb-base": "^14.1.0",
     "eslint-plugin-import": "^2.17.3",
-    "in-publish": "^2.0.0",
+    "in-publish": "^2.0.1",
     "istanbul": "^1.0.0-alpha.2",
     "mocha": "^3.5.3",
     "mocha-wrap": "^2.1.2",
-    "rimraf": "^2.6.3",
-    "safe-publish-latest": "^1.1.2",
+    "rimraf": "^2.7.1",
+    "safe-publish-latest": "^1.1.4",
     "sinon": "^3.3.0",
     "sinon-sandbox": "^1.0.2"
   },
   "dependencies": {
     "airbnb-js-shims": "^2 || ^3",
-    "bluebird": "^3.5.5",
+    "bluebird": "^3.7.2",
     "body-parser": "^1.19.0",
     "express": "^4.17.1",
-    "glob": "^7.1.4",
+    "glob": "^7.1.6",
     "has": "^1.0.3",
     "lru-cache": "^4.1.5",
     "object.assign": "^4.1.0",

src/index.js

@@ -6,6 +6,7 @@ const RIGHT = '-->';
 const ENCODE = [
   ['&', '&'],
   ['>', '>'],
+  ['</', '&lt;/'],
 ];
 
 const DATA_KEY = 'hypernova-key';

test/escape-test.js

@@ -5,59 +5,61 @@ import { serialize, toScript, fromScript } from '..';
 
 describe('escaping', () => {
   it('escapes', () => {
-    const html = serialize('foo', '', { foo: '</script>', bar: '&gt;' });
+    const html = serialize('foo', '', { foo: '</script>', bar: '&gt;', baz: '</script ' });
 
-    assert.include(html, '</script&gt;');
+    assert.include(html, '&lt;/script&gt;');
     assert.include(html, '&amp;gt;');
+    assert.include(html, '&lt;/script ');
   });
 
   wrap()
-  .withGlobal('document', () => ({}))
-  .describe('with fromScript', () => {
-    it('loads the escaped content correctly', () => {
-      const html = toScript({ a: 'b' }, { foo: '</script>', bar: '&gt;', baz: '&amp;' });
-      const $ = cheerio.load(html);
+    .withGlobal('document', () => ({}))
+    .describe('with fromScript', () => {
+      it('loads the escaped content correctly', () => {
+        const html = toScript({ a: 'b' }, { foo: '</script>', bar: '&gt;', baz: '&amp;', foobar: '</script x' });
+        const $ = cheerio.load(html);
 
-      global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
+        global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
 
-      const res = fromScript({
-        a: 'b',
-      });
-
-      assert.isObject(res);
+        const res = fromScript({
+          a: 'b',
+        });
 
-      assert.equal(res.foo, '</script>');
-      assert.equal(res.bar, '&gt;');
-      assert.equal(res.baz, '&amp;');
-    });
+        assert.isObject(res);
 
-    it('escapes multiple times the same, with interleaved decoding', () => {
-      const makeHTML = () => toScript({ attr: 'key' }, {
-        props: 'yay',
-        needsEncoding: '" &gt; </script>', // "needsEncoding" is necessary
+        assert.equal(res.foo, '</script>');
+        assert.equal(res.bar, '&gt;');
+        assert.equal(res.baz, '&amp;');
+        assert.equal(res.foobar, '</script x');
       });
-      const script1 = makeHTML();
-      const script2 = makeHTML();
-      assert.equal(script1, script2, 'two successive toScripts result in identical HTML');
 
-      const $ = cheerio.load(script1);
+      it('escapes multiple times the same, with interleaved decoding', () => {
+        const makeHTML = () => toScript({ attr: 'key' }, {
+          props: 'yay',
+          needsEncoding: '" &gt; </script>', // "needsEncoding" is necessary
+        });
+        const script1 = makeHTML();
+        const script2 = makeHTML();
+        assert.equal(script1, script2, 'two successive toScripts result in identical HTML');
 
-      global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
+        const $ = cheerio.load(script1);
 
-      const res = fromScript({ attr: 'key' });
+        global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
 
-      const script3 = makeHTML();
-      assert.equal(
-        script1,
-        script3,
-        'third toScript after a fromScript call results in the same HTML',
-      );
+        const res = fromScript({ attr: 'key' });
 
-      assert.isObject(res);
+        const script3 = makeHTML();
+        assert.equal(
+          script1,
+          script3,
+          'third toScript after a fromScript call results in the same HTML',
+        );
 
-      assert.equal(res.props, 'yay');
+        assert.isObject(res);
+
+        assert.equal(res.props, 'yay');
+      });
     });
-  });
 
   it('escapes quotes and fixes data attributes', () => {
     const markup = toScript({