yahoo/secure-handlebars-helpers

Name: secure-handlebars-helpers

Owner: Yahoo Inc.

Description: secure-handlebars-helpers

Created: 2015-02-09 19:35:53.0

Updated: 2015-10-28 20:24:51.0

Pushed: 2016-05-13 15:43:48.0

Homepage:

Size: 254

Language: JavaScript

GitHub Committers

UserMost Recent Commit# Commits

Other Committers

UserEmailMost Recent Commit# Commits

README

secure-handlebars-helpers

npm version dependency status Build Status

This handy client-side script registers the implementations of the contextual XSS escaping filters as handlebars' helpers, and is solely designed to be used with templates processed with the secure-handlebars package (e.g., <title>{{{yd title}}}</title> is one of the typical patterns of a processed template).

Quick Start
Client-side (browser)

Download the latest version at dist/secure-handlebars-helpers.min.js, and embed it after the handlebars script file.

ipt type="text/javascript" src="dist/handlebars.js"></script>
ipt type="text/javascript" src="dist/secure-handlebars-helpers.min.js"></script>

ipt type="text/javascript">
templateSpec = Handlebars.compile("<title>{{{yd title}}}</title>");
tml is assigned <title>&lt;script>alert('xss')&lt;/script></title>
data = {title: "<script>alert('xss')</script>"};
html = templateSpec(data);
ript>

Note: Read more about the underlying principle of contextual output filtering at xss-filters.

Contribute

To contribute, you can help make changes in src/ and tests/, followed by the following commands:

License

This software is free to use under the Yahoo BSD license. See the LICENSE file for license text and copyright information.

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.