From 5ceb2f0fa4bb5c7b48ec18010fabc406a4d0b8c5 Mon Sep 17 00:00:00 2001
From: Nikolay Kostyurin <jilizart@gmail.com>
Date: Wed, 8 Jul 2020 19:34:12 +0200
Subject: [PATCH] fix(plugin-helper): escape case insensitive javascript: attrs

---
 packages/bbob-plugin-helper/src/index.js       | 2 +-
 packages/bbob-plugin-helper/test/index.test.js | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/packages/bbob-plugin-helper/src/index.js b/packages/bbob-plugin-helper/src/index.js
index eb5d473..31e0fab 100644
--- a/packages/bbob-plugin-helper/src/index.js
+++ b/packages/bbob-plugin-helper/src/index.js
@@ -34,7 +34,7 @@ const escapeHTML = (value) => value
   .replace(/"/g, '&quot;')
   .replace(/'/g, '&#039;')
   // eslint-disable-next-line no-script-url
-  .replace('javascript:', 'javascript%3A');
+  .replace(/(javascript):/gi, '$1%3A');
 
 /**
  * Acept name and value and return valid html5 attribute string
diff --git a/packages/bbob-plugin-helper/test/index.test.js b/packages/bbob-plugin-helper/test/index.test.js
index ac9cc12..8cfa4fa 100644
--- a/packages/bbob-plugin-helper/test/index.test.js
+++ b/packages/bbob-plugin-helper/test/index.test.js
@@ -92,6 +92,12 @@ describe('@bbob/plugin-helper', () => {
         href: `javascript:alert('hello')`,
       })).toBe(` onclick="javascript%3Aalert(&#039;hello&#039;)" href="javascript%3Aalert(&#039;hello&#039;)"`)
     });
+    test(`JAVASCRIPT:alert("hello")`, () => {
+      expect(attrsToString({
+        onclick: `JAVASCRIPT:alert('hello')`,
+        href: `JAVASCRIPT:alert('hello')`,
+      })).toBe(` onclick="JAVASCRIPT%3Aalert(&#039;hello&#039;)" href="JAVASCRIPT%3Aalert(&#039;hello&#039;)"`)
+    });
     test(`<tag>`, () => {
       expect(attrsToString({
         onclick: `<tag>`,