Skip to content

Commit

Permalink
Improve HTML escaping.
Browse files Browse the repository at this point in the history
This closes a couple of potential exploit scenarios.
Backtick (`) for older IEs and equals (=) for unquoted attributes.

Refs handlebars-lang/handlebars.js@83b8e84
Closes #388
  • Loading branch information
phillipj committed Nov 17, 2015
1 parent 53b1c95 commit 378bcca
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 4 deletions.
6 changes: 4 additions & 2 deletions mustache.js
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,13 @@
'>': '>',
'"': '"',
"'": ''',
'/': '/'
'/': '/',
'`': '`',
'=': '='
};

function escapeHtml (string) {
return String(string).replace(/[&<>"'\/]/g, function fromEntityMap (s) {
return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
return entityMap[s];
});
}
Expand Down
2 changes: 1 addition & 1 deletion test/_files/escaped.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@
title: function () {
return "Bear > Shark";
},
entities: "&quot; \"'<>/"
entities: "&quot; \"'<>`=/"
})
2 changes: 1 addition & 1 deletion test/_files/escaped.txt
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
<h1>Bear &gt; Shark</h1>
And even &amp;quot; &quot;&#39;&lt;&gt;&#x2F;, but not &quot; "'<>/.
And even &amp;quot; &quot;&#39;&lt;&gt;&#x60;&#x3D;&#x2F;, but not &quot; "'<>`=/.

0 comments on commit 378bcca

Please # to comment.