You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the {{emoji-parse ...}} helper, I've realized it's very easy to introduce XSS vulnerability, as the helper uses htmlSafe right here, which causes Handlebars to wholesale not escape the output.
Any ideas to make this better? Is there any reason not to call Handlebars.escapeExpression on the provided input? Or maybe provide an option that we can pass to the helper?
If there isn't a good general solution, maybe just mentioning the use of htmlSafe in the documentation would suffice.
The text was updated successfully, but these errors were encountered:
When using the
{{emoji-parse ...}}helper, I've realized it's very easy to introduce XSS vulnerability, as the helper useshtmlSaferight here, which causes Handlebars to wholesale not escape the output.Any ideas to make this better? Is there any reason not to call
Handlebars.escapeExpressionon the provided input? Or maybe provide an option that we can pass to the helper?If there isn't a good general solution, maybe just mentioning the use of
htmlSafein the documentation would suffice.The text was updated successfully, but these errors were encountered: