From 2a19ea223a73d08a73d339ca71252d64ba4ac01f Mon Sep 17 00:00:00 2001
From: Victor Zhou <vzhou@yelp.com>
Date: Fri, 27 Mar 2020 11:55:33 -0700
Subject: [PATCH] Add "<" (&lt) to the ENCODE list

We have found that browsers (at least Chrome and Firefox)
can interpret "/" to close a tag in a HTML comment in a
script tag.

This means that a malicious attacker could submit a
payload like "</script/", prematurely closing the script
tag that a Hypernova comment is in, causing the page to
crash.
---
 src/index.js        | 1 +
 test/escape-test.js | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/index.js b/src/index.js
index 824a5fe..47641a4 100644
--- a/src/index.js
+++ b/src/index.js
@@ -5,6 +5,7 @@ const RIGHT = '-->';
 
 const ENCODE = [
   ['&', '&amp;'],
+  ['<', '&lt;'],
   ['>', '&gt;'],
 ];
 
diff --git a/test/escape-test.js b/test/escape-test.js
index a856983..22ad365 100644
--- a/test/escape-test.js
+++ b/test/escape-test.js
@@ -7,7 +7,7 @@ describe('escaping', () => {
   it('escapes', () => {
     const html = serialize('foo', '', { foo: '</script>', bar: '&gt;' });
 
-    assert.include(html, '</script&gt;');
+    assert.include(html, '&lt;/script&gt;');
     assert.include(html, '&amp;gt;');
   });