Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Handlebars triple-stash to avoid escaping html entities

I use handlebars, and if an escaped character such as ' is processed it is rendered on screen as '.

I know wrapping the variable in a triple-stash will prevent this.

I processed the following string within a triple-stash as a quick test and it seemed fine "<p>hello<p>wouldn't wouldn&#39;t" This rendered to screen exactly how I wanted it to.

My question is, is it safe to simply wrap all variables in triple-stash? or will this have some unforeseen consequences I haven't considered?

Thanks

like image 951
DavidB Avatar asked Jan 13 '15 16:01

DavidB


Video Answer


1 Answers

By default all double-stashed {{var}} embeds in Handlebars will be HTML-escaped. It's performed for security reasons to avoid DOM XSS vulnerabilities. Because your variable may contain any data including user-data or any kind of untrusted data.

In some cases you will need to embed your data as-is, without escaping. There is where tripple-stash {{{var}}} used. But every time doing this, you need to think what may be in your data and can you trust it?

Read more about HTML Escaping on Handlebars site.

like image 179
raidendev Avatar answered Nov 03 '22 05:11

raidendev