Comments (10)
Can we please have autoescaping turned on by a global option (so it doesn't break legacy code)? Something like:
Template7.setAutoEscaping(true);
It would also require to provide a way not to escape a value - Handlebars uses "triple-stash" {{{ ... }}}
and Handlebars.SafeString()
in helpers.
from template7.
I am not sure did you really test it with Template7, because each of output is not what you get in Template7:
You write:
'<script>alert(1)<\/script>' -> Empty string
But actually:
'<script>alert(1)<\/script>' -> '<script>alert(1)</script>'
You write:
'<foo>alert(1)<\/foo>' -> Empty string
But actually:
'<foo>alert(1)<\/foo>' -> '<foo>alert(1)</foo>'
You write:
'<foo>alert(1)</foo>' -> '<foo>alert(1)</foo>'
But actually:
'<foo>alert(1)</foo>' -> '<foo>alert(1)</foo>'
You write:
'<script>alert(1)<\/script>' -> Empty string
But actually:
'<script>alert(1)<\/script>' -> '<script>alert(1)</script>'
You write:
'<foo>alert(1)</foo>' + {{{text}}} -> Error
But actually:
'<foo>alert(1)</foo>' + {{{text}}} -> '{<foo>alert(1)</foo>}'
from template7.
Yeap, I can replicate it.
My bower file:
"dependencies": {
"framework7": "1.0.6",
"template7" : "1.0.5",
"handlebars": "3.0.3",
"requirejs" : "2.1.18",
"text" : "2.0.14"
}
from template7.
Ok, type in browser console:
Template7.compile('{{text}}')({text:'<script>alert(1)<\/script>'});
You will not see empty string as you wrote
from template7.
It's true.
I mean
Dom7('body').html(Template7.compile('{{text}}')({text:'<script>alert(1)<\/script>'}))
from template7.
This is a different. Template7 doesn't do any escaping like Handlebars. If you need it, you may use encode
helper which is released in latest version, like {{encode text}}
from template7.
Actually the encoding should be used by default to prevent XSS-like attacks.
You'd pay attention to other template engines like Jade, Handlebars, Fest are used OWASP practice.
from template7.
Maybe, but if i add it now, it could bring a lot of breaking changes in existing apps and issues for all who use it like it is now
from template7.
Yep, you'd up the major version )
from template7.
But at the moment is not an option as it is heavily used in Framework7, where i will need to up a major version too then )
from template7.
Related Issues (20)
- For loop expression HOT 1
- How to Assign The Select Element Value In a Loop HOT 2
- Предложение: реализовать возможность в js_if подниматься на уровень "вверх", как в обычном if
- Thier is a way to create global nav or footer?
- escaping undefined and null
- Несколько предложений по расширению шаблонов
- Going back to "each"-context , after accessing parrent variable.
- How convert float (number) to string?
- variable helper HOT 1
- each use hasOwnProperty the inherited properties are not displayed.
- Parameterized partials
- how to use in expressjs?
- Can not compile
- js_if: проверка на свойства объекта, которое null
- QUESTION: Precompile templates HOT 1
- js not working in IOS? HOT 1
- #js_if: Cannot read property 'constructor' of undefined
- Feature {{@index + 1}} HOT 1
- issue in html attribute when value has spaces HOT 1
- Documentation website is down! HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from template7.