/**
* 实现下面的字符串格式化函数 format(String, Object),考虑安全问题:
document.body.innerHTML =
format('<div>I am {name}, my website is <a href="{website}">{website}</a>!</div>', {
name: '<script>document.body.innerHTML="XSS!"</script>',
website: '<b>html</b>'
})
* @param {String} str
* @param {Object<String, *>|Array<*>} obj
* @returns {String} result
*/
const format = (str, obj) => {
// TODO 实现
return '1'
};
let tpl = '<div>I am {name}, my website is <a href="{website}">{website}</a>!</div>';
let data = {
name: '<script>document.body.innerHTML="XSS!"</script>',
website: '<b>html</b>'
}
document.body.innerHTML = format(tpl, data);
console