Escape < in strings

blakeembrey · blakeembrey · commit 8b6f1f10a623 · 2026-04-14T11:54:45.000-07:00
diff --git a/src/function.ts b/src/function.ts
@@ -4,7 +4,6 @@ import { quoteKey, isValidVariableName } from "./quote";
 /**
  * Used in function stringification.
  */
-/* istanbul ignore next */
 const METHOD_NAMES_ARE_QUOTED =
   {
     " "() {
diff --git a/src/index.spec.ts b/src/index.spec.ts
@@ -82,14 +82,16 @@ describe("javascript-stringify", () => {
         "should escape certain unicode sequences",
         test("\u0602", "'\\u0602'"),
       );
+
+      it("should escape < for safety", test("</script>", "'\\u003c/script>'"));
     });
 
     describe("numbers", () => {
       it("should stringify integers", test(10, "10"));
 
       it("should stringify floats", test(10.5, "10.5"));
 
-      it('should stringify "NaN"', test(10.5, "10.5"));
+      it('should stringify "NaN"', test(NaN, "NaN"));
 
       it('should stringify "Infinity"', test(Infinity, "Infinity"));
 
@@ -220,6 +222,8 @@ describe("javascript-stringify", () => {
 
       describe("RegExp", () => {
         it("should stringify as shorthand", test(/[abc]/gi, "/[abc]/gi"));
+
+        it("should escape slashes", test(new RegExp("a/b"), "/a\\/b/"));
       });
 
       describe("Number", () => {
diff --git a/src/index.ts b/src/index.ts
@@ -66,7 +66,7 @@ export function stringify(
           // Track nodes to restore later.
           if (tracking.has(value)) {
             unpack.set(path.slice(1), tracking.get(value)!);
-            // Use `undefined` as temporaray stand-in for referenced nodes
+            // Use `undefined` as temporary stand-in for referenced nodes.
             return valueToString(undefined, space, onNext, key);
           }
 
diff --git a/src/quote.ts b/src/quote.ts
@@ -7,7 +7,7 @@ import { Next } from "./types";
  * Source: https://github.com/douglascrockford/JSON-js/blob/master/json2.js
  */
 const ESCAPABLE =
-  /[\\\'\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;
+  /[\\'<\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;
 
 /**
  * Map of characters to escape characters.

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@ import { quoteKey, isValidVariableName } from "./quote";`
`4`	`4`	`/**`
`5`	`5`	`* Used in function stringification.`
`6`	`6`	`*/`
`7`		`-/* istanbul ignore next */`
`8`	`7`	`const METHOD_NAMES_ARE_QUOTED =`
`9`	`8`	`{`
`10`	`9`	`" "() {`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ export function stringify(`
`66`	`66`	`// Track nodes to restore later.`
`67`	`67`	`if (tracking.has(value)) {`
`68`	`68`	`unpack.set(path.slice(1), tracking.get(value)!);`
`69`		- // Use `undefined` as temporaray stand-in for referenced nodes
	`69`	+ // Use `undefined` as temporary stand-in for referenced nodes.
`70`	`70`	`return valueToString(undefined, space, onNext, key);`
`71`	`71`	`}`
`72`	`72`