Escape = in HTML content

There was a potential XSS exploit when using unquoted attributes that this should help reduce.

Fixes #1083
This commit is contained in:
kpdecker
2015-09-01 01:44:35 -05:00
parent b0d217e13d
commit 83b8e846a3
2 changed files with 5 additions and 3 deletions
+4 -3
View File
@@ -4,11 +4,12 @@ const escape = {
'>': '>',
'"': '"',
"'": ''',
'`': '`'
'`': '`',
'=': '='
};
const badChars = /[&<>"'`]/g,
possible = /[&<>"'`]/;
const badChars = /[&<>"'`=]/g,
possible = /[&<>"'`=]/;
function escapeChar(chr) {
return escape[chr];
+1
View File
@@ -18,6 +18,7 @@ describe('utils', function() {
describe('#escapeExpression', function() {
it('shouhld escape html', function() {
equals(Handlebars.Utils.escapeExpression('foo<&"\'>'), 'foo&lt;&amp;&quot;&#x27;&gt;');
equals(Handlebars.Utils.escapeExpression('foo='), 'foo&#x3D;');
});
it('should not escape SafeString', function() {
var string = new Handlebars.SafeString('foo<&"\'>');