// HTML sanitization utilities to prevent XSS when using innerHTML
//
// Data from ADS-B/VRS sources and external CSV files (airline names, countries)
// flows through the Go backend as JSON. While json.Marshal escapes < > &,
// JSON.parse() reverses those escapes. Any dynamic value inserted via innerHTML
// or template literals must be escaped to prevent script injection.

/**
 * Escape a string for safe insertion into HTML content or attributes.
 * Converts the five HTML-significant characters to their entity equivalents.
 * @param {*} value - The value to escape (coerced to string, null/undefined become '')
 * @returns {string} - HTML-safe string
 */
export function escapeHtml(value) {
    if (value == null) return '';
    return String(value)
        .replace(/&/g, '&amp;')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;')
        .replace(/"/g, '&quot;')
        .replace(/'/g, '&#039;');
}