[Fix] escape closing </script tags

Fixes #165.

Author: Johannes Burghardt

src/index.js

@@ -6,6 +6,7 @@ const RIGHT = '-->';
 const ENCODE = [
   ['&', '&'],
   ['>', '>'],
+  ['</', '&lt;/'],
 ];
 
 const DATA_KEY = 'hypernova-key';

test/escape-test.js

@@ -5,59 +5,61 @@ import { serialize, toScript, fromScript } from '..';
 
 describe('escaping', () => {
   it('escapes', () => {
-    const html = serialize('foo', '', { foo: '</script>', bar: '&gt;' });
+    const html = serialize('foo', '', { foo: '</script>', bar: '&gt;', baz: '</script ' });
 
-    assert.include(html, '</script&gt;');
+    assert.include(html, '&lt;/script&gt;');
     assert.include(html, '&amp;gt;');
+    assert.include(html, '&lt;/script ');
   });
 
   wrap()
-  .withGlobal('document', () => ({}))
-  .describe('with fromScript', () => {
-    it('loads the escaped content correctly', () => {
-      const html = toScript({ a: 'b' }, { foo: '</script>', bar: '&gt;', baz: '&amp;' });
-      const $ = cheerio.load(html);
+    .withGlobal('document', () => ({}))
+    .describe('with fromScript', () => {
+      it('loads the escaped content correctly', () => {
+        const html = toScript({ a: 'b' }, { foo: '</script>', bar: '&gt;', baz: '&amp;', foobar: '</script x' });
+        const $ = cheerio.load(html);
 
-      global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
+        global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
 
-      const res = fromScript({
-        a: 'b',
-      });
-
-      assert.isObject(res);
+        const res = fromScript({
+          a: 'b',
+        });
 
-      assert.equal(res.foo, '</script>');
-      assert.equal(res.bar, '&gt;');
-      assert.equal(res.baz, '&amp;');
-    });
+        assert.isObject(res);
 
-    it('escapes multiple times the same, with interleaved decoding', () => {
-      const makeHTML = () => toScript({ attr: 'key' }, {
-        props: 'yay',
-        needsEncoding: '" &gt; </script>', // "needsEncoding" is necessary
+        assert.equal(res.foo, '</script>');
+        assert.equal(res.bar, '&gt;');
+        assert.equal(res.baz, '&amp;');
+        assert.equal(res.foobar, '</script x');
       });
-      const script1 = makeHTML();
-      const script2 = makeHTML();
-      assert.equal(script1, script2, 'two successive toScripts result in identical HTML');
 
-      const $ = cheerio.load(script1);
+      it('escapes multiple times the same, with interleaved decoding', () => {
+        const makeHTML = () => toScript({ attr: 'key' }, {
+          props: 'yay',
+          needsEncoding: '" &gt; </script>', // "needsEncoding" is necessary
+        });
+        const script1 = makeHTML();
+        const script2 = makeHTML();
+        assert.equal(script1, script2, 'two successive toScripts result in identical HTML');
 
-      global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
+        const $ = cheerio.load(script1);
 
-      const res = fromScript({ attr: 'key' });
+        global.document.querySelector = () => ({ innerHTML: $($('script')[0]).html() });
 
-      const script3 = makeHTML();
-      assert.equal(
-        script1,
-        script3,
-        'third toScript after a fromScript call results in the same HTML',
-      );
+        const res = fromScript({ attr: 'key' });
 
-      assert.isObject(res);
+        const script3 = makeHTML();
+        assert.equal(
+          script1,
+          script3,
+          'third toScript after a fromScript call results in the same HTML',
+        );
 
-      assert.equal(res.props, 'yay');
+        assert.isObject(res);
+
+        assert.equal(res.props, 'yay');
+      });
     });
-  });
 
   it('escapes quotes and fixes data attributes', () => {
     const markup = toScript({