Name: secure-handlebars-helpers
Owner: Yahoo Inc.
Description: secure-handlebars-helpers
Created: 2015-02-09 19:35:53.0
Updated: 2015-10-28 20:24:51.0
Pushed: 2016-05-13 15:43:48.0
Size: 254
Language: JavaScript
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This handy client-side script registers the implementations of the contextual XSS escaping filters as handlebars' helpers, and is solely designed to be used with templates processed with the secure-handlebars package (e.g., <title>{{{yd title}}}</title>
is one of the typical patterns of a processed template).
Download the latest version at dist/secure-handlebars-helpers.min.js, and embed it after the handlebars script file.
ipt type="text/javascript" src="dist/handlebars.js"></script>
ipt type="text/javascript" src="dist/secure-handlebars-helpers.min.js"></script>
ipt type="text/javascript">
templateSpec = Handlebars.compile("<title>{{{yd title}}}</title>");
tml is assigned <title><script>alert('xss')</script></title>
data = {title: "<script>alert('xss')</script>"};
html = templateSpec(data);
ript>
Note: Read more about the underlying principle of contextual output filtering at xss-filters.
To contribute, you can help make changes in src/
and tests/
, followed by the following commands:
This software is free to use under the Yahoo BSD license. See the LICENSE file for license text and copyright information.