Implement a Safe JSON-LD replacer

Eyas · Eyas · commit 22e7dec0f11d · 2020-03-16T20:32:36.000-04:00
Per https://www.w3.org/TR/json-ld11/#restrictions-for-contents-of-json-ld-script-elements See the parent issue in w3c/json-ld-syntax#100 where this was created. Fixes #9
diff --git a/src/json-ld.tsx b/src/json-ld.tsx
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2020 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,8 +44,58 @@ export class JsonLd<T extends Thing> extends React.Component<{
     return (
       <script
         type="application/ld+json"
-        dangerouslySetInnerHTML={{ __html: JSON.stringify(this.props.item) }}
+        dangerouslySetInnerHTML={{
+          __html: JSON.stringify(this.props.item, safeJsonLdReplacer)
+        }}
       />
     );
   }
 }
+
+type JsonValueScalar = string | boolean | number;
+type JsonValue =
+  | JsonValueScalar
+  | Array<JsonValue>
+  | { [key: string]: JsonValue };
+type JsonReplacer = (_: string, value: JsonValue) => JsonValue | undefined;
+
+/**
+ * A replacer for JSON.stringify to strip JSON-LD of illegal HTML entities
+ * per https://www.w3.org/TR/json-ld11/#restrictions-for-contents-of-json-ld-script-elements
+ */
+const safeJsonLdReplacer: JsonReplacer = (() => {
+  // Replace per https://www.w3.org/TR/json-ld11/#restrictions-for-contents-of-json-ld-script-elements
+  // Solution from https://stackoverflow.com/a/5499821/864313
+  const entities = Object.freeze({
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&apos;"
+  });
+  const replace = (t: string): string =>
+    entities[t as keyof typeof entities] || t;
+
+  return (_: string, value: JsonValue): JsonValue | undefined => {
+    switch (typeof value) {
+      case "object":
+        return value; // JSON.stringify will recursively call replacer.
+      case "number":
+      case "boolean":
+      case "bigint":
+        return value; // These values are not risky.
+      case "string":
+        return value.replace(/[&<>'"]/g, replace);
+      default: {
+        // We shouldn't expect other types.
+        isNever(value);
+
+        // JSON.stringify will remove this element.
+        return undefined;
+      }
+    }
+  };
+})();
+
+// Utility: Assert never
+function isNever(_: never): void {}
