Merge pull request jsdom#156 from mikesamuel/master

Escape text from custom transformTags functions.

index.js

@@ -390,7 +390,7 @@ function sanitizeHtml(html, options, _recursing) {
       } else {
         result += '>';
         if (frame.innerText && !hasText && !options.textFilter) {
-          result += frame.innerText;
+          result += escapeHtml(frame.innerText);
         }
       }
       if (skip) {

test/test.js

@@ -703,6 +703,31 @@ describe('sanitizeHtml', function() {
       '<img src="fallback.jpg" srcset="foo.jpg 100w 2x, bar.jpg 200w 1x" />'
     );
   });
+
+  it('text from transformTags should not specify tags', function() {
+    var input = '<input value="&lt;script&gt;alert(1)&lt;/script&gt;">';
+    var want = '<u class="inlined-input">&lt;script&gt;alert(1)&lt;/script&gt;</u>';
+    // Runs the sanitizer with a policy that turns an attribute into
+    // text.  A policy like this might be used to turn inputs into
+    // inline elements that look like the original but which do not
+    // affect form submissions.
+    var got = sanitizeHtml(
+        input,
+        {
+          allowedTags: [ 'u' ],
+          allowedAttributes: { '*': ['class'] },
+          transformTags: {
+            input: function (tagName, attribs) {
+              return {
+                tagName: 'u',
+                attribs: { class: 'inlined-input' },
+                text: attribs.value
+              };
+            }
+          }
+        });
+    assert.equal(got, want);
+  });
   it('drop attribute names with meta-characters', function() {
     assert.equal(
       sanitizeHtml('<span data-<script>alert(1)//>', {