Replace home-grown htmlEncode with lodash escape

Asherah Connorrequested to merge
push-wullukzoxkzn into master

What does this MR do and why?

Replace home-grown htmlEncode with lodash escape.

We rely on lodash and its escape method throughout the codebase; let's use it instead of reinventing the wheel.

This came to my attention in a contributor MR at !208174 (merged), where I pointed out the need for escaping at !208174 (comment 2836221007) and suggested moving and exporting an existing htmlEncode found in the codebase. I don't focus on frontend and didn't know about lodash's escape, but since working across the codebase more I've seen how we use it.

Let's remove our home-cooked version and use lodash's throughout. Their behaviours are equivalent, with one tiny implementation difference: we were replacing ' with ', while lodash's replaces it with '. These mean the same thing and it's totally OK to replace ours with theirs (and makes the escaping used in these two sites consistent with the rest of the frontend!).

How to set up and validate locally

  1. Check out the branch.
  2. Test that issue board continues to look as it did, particularly vis-a-vis the case mentioned at !208174 (comment 2836221007).
  3. Test that HTML serialisation in the rich-text editor continues to correctly escape attribute values. For example, enter the following into the plain-text editor: 
    <table>
<tr>
<td align="&quot;test&apos;ok">oh</td>
</tr>
</table>

hi
    Then switch to the rich-text editor and modify the text "hi". Switch back to the plain-text editor, and you should see the <td>'s align property has been serialised to align="&quot;test&#39;ok", demonstrating the original attribute was parsed in and re-escaped out correctly.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports