diff --git a/src/sql/base/common/strings.ts b/src/sql/base/common/strings.ts
new file mode 100644
index 0000000000..121133862a
--- /dev/null
+++ b/src/sql/base/common/strings.ts
@@ -0,0 +1,21 @@
+/*---------------------------------------------------------------------------------------------
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the Source EULA. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+'use strict';
+
+/**
+ * Converts HTML characters inside the string to use entities instead. Makes the string safe from
+ * being used e.g. in HTMLElement.innerHTML.
+ */
+export function escape(html: string): string {
+ return html.replace(/[<|>|&|"]/g, function (match) {
+ switch (match) {
+ case '<': return '<';
+ case '>': return '>';
+ case '&': return '&';
+ case '"': return '"';
+ default: return match;
+ }
+ });
+}
diff --git a/src/sql/parts/grid/services/sharedServices.ts b/src/sql/parts/grid/services/sharedServices.ts
index c02292730a..5065d3c0f3 100644
--- a/src/sql/parts/grid/services/sharedServices.ts
+++ b/src/sql/parts/grid/services/sharedServices.ts
@@ -3,7 +3,7 @@
* Licensed under the Source EULA. See License.txt in the project root for license information.
*--------------------------------------------------------------------------------------------*/
-import * as Strings from 'vs/base/common/strings';
+import { escape } from 'sql/base/common/strings';
export class DBCellValue {
displayValue: string;
@@ -25,7 +25,7 @@ export function hyperLinkFormatter(row: number, cell: any, value: any, columnDef
valueToDisplay = 'NULL';
if (!value.isNull) {
cellClasses += ' xmlLink';
- valueToDisplay = Strings.escape(value.displayValue);
+ valueToDisplay = escape(value.displayValue);
return `${valueToDisplay}`;
} else {
cellClasses += ' missing-value';
@@ -44,12 +44,12 @@ export function textFormatter(row: number, cell: any, value: any, columnDef: any
if (DBCellValue.isDBCellValue(value)) {
valueToDisplay = 'NULL';
if (!value.isNull) {
- valueToDisplay = Strings.escape(value.displayValue.replace(/(\r\n|\n|\r)/g, ' '));
+ valueToDisplay = escape(value.displayValue.replace(/(\r\n|\n|\r)/g, ' '));
} else {
cellClasses += ' missing-value';
}
} else if (typeof value === 'string') {
- valueToDisplay = Strings.escape(value);
+ valueToDisplay = escape(value);
}
return `${valueToDisplay}`;
diff --git a/src/sql/parts/grid/views/query/query.component.ts b/src/sql/parts/grid/views/query/query.component.ts
index e94233ba42..8df91bf4b4 100644
--- a/src/sql/parts/grid/views/query/query.component.ts
+++ b/src/sql/parts/grid/views/query/query.component.ts
@@ -27,8 +27,9 @@ import { error } from 'sql/base/common/log';
import { TabChild } from 'sql/base/browser/ui/panel/tab.component';
import { clone, mixin } from 'sql/base/common/objects';
import { IQueryEditorService } from 'sql/parts/query/common/queryEditorService';
+import { escape } from 'sql/base/common/strings';
-import * as strings from 'vs/base/common/strings';
+import { format } from 'vs/base/common/strings';
import * as DOM from 'vs/base/browser/dom';
import { StandardKeyboardEvent } from 'vs/base/browser/keyboardEvent';
import { KeyCode } from 'vs/base/common/keyCodes';
@@ -60,7 +61,7 @@ export class QueryComponent extends GridParentComponent implements OnInit, OnDes
// create a function alias to use inside query.component
// tslint:disable-next-line:no-unused-variable
- private stringsFormat: any = strings.format;
+ private stringsFormat: any = format;
// tslint:disable-next-line:no-unused-variable
private dataIcons: IGridIcon[] = [
@@ -302,7 +303,7 @@ export class QueryComponent extends GridParentComponent implements OnInit, OnDes
// Push row values onto end of gridData for slickgrid
gridData.push({
values: rows.rows[row].map(c => {
- return mixin({ ariaLabel: c.displayValue }, c);
+ return mixin({ ariaLabel: escape(c.displayValue) }, c);
})
});
}