Escape text from custom transformTags functions.

This makes custom tag transformations less error-prone.
Prior to this patch, tag transformations which turned an attribute
value into a text node could be vulnerable to code execution.

The operative change prevents any Frame's innerText from specifying
tag tokens.

Author: mikesamuel

index.js

@@ -192,7 +192,7 @@ function sanitizeHtml(html, options, _recursing) {
       } else {
         result += ">";
         if (frame.innerText && !hasText && !options.textFilter) {
-          result += frame.innerText;
+          result += escapeHtml(frame.innerText);
         }
       }
     },

test/test.js

@@ -532,4 +532,28 @@ describe('sanitizeHtml', function() {
       '<a href="/welcome">test</a>'
     );
   });
+  it('text from transformTags should not specify tags', function() {
+    var input = '<input value="&lt;script&gt;alert(1)&lt;/script&gt;">';
+    var want = '<u class="inlined-input">&lt;script&gt;alert(1)&lt;/script&gt;</u>';
+    // Runs the sanitizer with a policy that turns an attribute into
+    // text.  A policy like this might be used to turn inputs into
+    // inline elements that look like the original but which do not
+    // affect form submissions.
+    var got = sanitizeHtml(
+        input,
+        {
+          allowedTags: [ 'u' ],
+          allowedAttributes: { '*': ['class'] },
+          transformTags: {
+            input: function (tagName, attribs) {
+              return {
+                tagName: 'u',
+                attribs: { class: 'inlined-input' },
+                text: attribs.value
+              };
+            }
+          }
+        });
+    assert.equal(got, want);
+  });
 });