Escape = in HTML content
There was a potential XSS exploit when using unquoted attributes that this should help reduce. Fixes #1083
This commit is contained in:
@@ -4,11 +4,12 @@ const escape = {
|
||||
'>': '>',
|
||||
'"': '"',
|
||||
"'": ''',
|
||||
'`': '`'
|
||||
'`': '`',
|
||||
'=': '='
|
||||
};
|
||||
|
||||
const badChars = /[&<>"'`]/g,
|
||||
possible = /[&<>"'`]/;
|
||||
const badChars = /[&<>"'`=]/g,
|
||||
possible = /[&<>"'`=]/;
|
||||
|
||||
function escapeChar(chr) {
|
||||
return escape[chr];
|
||||
|
||||
@@ -18,6 +18,7 @@ describe('utils', function() {
|
||||
describe('#escapeExpression', function() {
|
||||
it('shouhld escape html', function() {
|
||||
equals(Handlebars.Utils.escapeExpression('foo<&"\'>'), 'foo<&"'>');
|
||||
equals(Handlebars.Utils.escapeExpression('foo='), 'foo=');
|
||||
});
|
||||
it('should not escape SafeString', function() {
|
||||
var string = new Handlebars.SafeString('foo<&"\'>');
|
||||
|
||||
Reference in New Issue
Block a user