Comments (10)
PetrToman
commented on June 28, 2024
1
Can we please have autoescaping turned on by a global option (so it doesn't break legacy code)? Something like:
Template7.setAutoEscaping(true);
It would also require to provide a way not to escape a value - Handlebars uses "triple-stash" {{{ ... }}} and Handlebars.SafeString() in helpers.
from template7.
nolimits4web
commented on June 28, 2024
I am not sure did you really test it with Template7, because each of output is not what you get in Template7:
You write:
'<script>alert(1)<\/script>' -> Empty string
But actually:
'<script>alert(1)<\/script>' -> '<script>alert(1)</script>'
You write:
'<foo>alert(1)<\/foo>' -> Empty string
But actually:
'<foo>alert(1)<\/foo>' -> '<foo>alert(1)</foo>'
You write:
'<foo>alert(1)</foo>' -> '<foo>alert(1)</foo>'
But actually:
'<foo>alert(1)</foo>' -> '<foo>alert(1)</foo>'
You write:
'<script>alert(1)<\/script>' -> Empty string
But actually:
'<script>alert(1)<\/script>' -> '<script>alert(1)</script>'
You write:
'<foo>alert(1)</foo>' + {{{text}}} -> Error
But actually:
'<foo>alert(1)</foo>' + {{{text}}} -> '{<foo>alert(1)</foo>}'
from template7.
monolithed
commented on June 28, 2024
Yeap, I can replicate it.
My bower file:
"dependencies": {
"framework7": "1.0.6",
"template7" : "1.0.5",
"handlebars": "3.0.3",
"requirejs" : "2.1.18",
"text" : "2.0.14"
}from template7.
nolimits4web
commented on June 28, 2024
Ok, type in browser console:
Template7.compile('{{text}}')({text:'<script>alert(1)<\/script>'});
You will not see empty string as you wrote
from template7.
monolithed
commented on June 28, 2024
It's true.
I mean
Dom7('body').html(Template7.compile('{{text}}')({text:'<script>alert(1)<\/script>'}))from template7.
nolimits4web
commented on June 28, 2024
This is a different. Template7 doesn't do any escaping like Handlebars. If you need it, you may use encode helper which is released in latest version, like {{encode text}}
from template7.
monolithed
commented on June 28, 2024
Actually the encoding should be used by default to prevent XSS-like attacks.
You'd pay attention to other template engines like Jade, Handlebars, Fest are used OWASP practice.
from template7.
nolimits4web
commented on June 28, 2024
Maybe, but if i add it now, it could bring a lot of breaking changes in existing apps and issues for all who use it like it is now
from template7.
monolithed
commented on June 28, 2024
Yep, you'd up the major version )
from template7.
nolimits4web
commented on June 28, 2024
But at the moment is not an option as it is heavily used in Framework7, where i will need to up a major version too then )
from template7.
Related Issues (20)
- For loop expression HOT 1
- How to Assign The Select Element Value In a Loop HOT 2
- Предложение: реализовать возможность в js_if подниматься на уровень "вверх", как в обычном if
- Thier is a way to create global nav or footer?
- escaping undefined and null
- Несколько предложений по расширению шаблонов
- Going back to "each"-context , after accessing parrent variable.
- How convert float (number) to string?
- variable helper HOT 1
- each use hasOwnProperty the inherited properties are not displayed.
- Parameterized partials
- how to use in expressjs?
- Can not compile
- js_if: проверка на свойства объекта, которое null
- QUESTION: Precompile templates HOT 1
- js not working in IOS? HOT 1
- #js_if: Cannot read property 'constructor' of undefined
- Feature {{@index + 1}} HOT 1
- issue in html attribute when value has spaces HOT 1
- Documentation website is down! HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from template7.