BBCode with XSS escape?

There is a string like:

jaksldhfklajsfdhdkjf[bbcode]img url[/bbcode]kjalhdfk<script>alert(1)</script>sdlfjah

…and I want it to become:

jaksldhfklajsfdhdkjf<img src="img url" />kjalhdfk&lt;script&gt;alert(1)&lt;/script&gt;sdlfjah

…using JavaScript only.

I can't find a JS library that can do it. Is there a completed library or another way (or different logic) to prevent unsafe input?

Solution

The best way to do what you are trying to do is by making escapement replacements before parsing the BBCode.

function escape(s) { // http://escape.alf.nu/
    function html(a) {
        return {'>':'&gt;', '<':'&lt;', '"':'&quot;'}[a] || a;
    }
    s = s.replace(/[<>"]/g, html);
    s = s.replace(/\[bbcode]((?:http:|ftp:\/)\/\/.*?)\[\/bbcode]/g, '<img src="$1">');
    return s;
}

Convert 64 bit Steam ID to 32 bit account ID
Error: Absolute route path "/" nested under path "/app" is not valid
How to search all JavaScript sources in Chrome Developer Tools?
How to send a property from an array of object from a child component to the parent component?
Toggle grid on draggable
Supabase and Google Apps Script
create a web app that sends a standard text message to a user submitted phone number
Puppeteer , bringing back blank array
fabric.js limit rotation to x degrees with rotation handle
How do I recognize swipe events in React?
How does jQuery make it so that its array-like collection objects are displayed like arrays in the browser console?
Running a similar App Scripts code on Multiple Sheets
Creating object with dynamic keys
Sequentially Numbering Footnotes with React
Shortens the data back to 5 characters if you put more that 5 in
Reference to "this" is null in function called by redux-saga call
Automatically Delete Files from Google Drive Older than 3 Days
Html and css to add colorful codes
Filter/Remove array object based on value, from nested JSON array object in JavaScript
Argument of type 'string' is not assignable to parameter of type 'Auth'
Algorithm to convert semi-transparent to solid color
Format JavaScript date as yyyy-mm-dd
How can I add an event for a one time click to a function?
how can I disable everything inside a form using javascript/jquery?
How to change screen and setState at the same time on first click in React Native
Is there a way to tell if ReactElement renders "null"?
Trigger Firebase Cloud Function on linkWithCredential()
Event triggered when changing a user Firebase Authentication
fabric.js-adding an event handler to an object doesn't work
browser sessionStorage. share between tabs?