HandlebarsJS-helpers icon indicating copy to clipboard operation
HandlebarsJS-helpers copied to clipboard

Published 20 hours ago verified publisher icon ziogas

Security

Open littke opened this issue 11 years ago • 3 comments

By not escaping the input to the helpers, you're opening up for the newly constructed string to include XSS. For example, <scr\nipt> will become <script>, no? Since you're returning a SafeString, it won't be escaped.

littke avatar Oct 15 '13 09:10 littke

See http://handlebarsjs.com/ and search for "Handlebars will not escape a".

littke avatar Oct 15 '13 09:10 littke

Thanks for noticing but in most cases SafeString is returned on purpose and I believe that escaping is in developer responsibilities. The best approach here I think would be optional arguments for escaping/not escaping. Or maybe i misunderstand something ?

ziogas avatar Oct 15 '13 09:10 ziogas

If I'm running {{truncate variable 25}} and that variable has HTML in it, that HTML will be parsed by the browser, thus not escaped. That is insecure.

If I'm running {{variable}} and that variable has HTML in it, that HTML will be NOT parsed by the browser, thus it is escaped. That is secure.

I don't see how this should be the dev's responsibility. If I wanted it unescaped, I'd use triple-quotes instead. Don't know how that works with helpers, though.

littke avatar Oct 15 '13 12:10 littke