Manual triple trick to avoid exiting html objects

Question

Manual triple trick to avoid exiting html objects

I use rudders, and if a rendered character such as is '

rendered, it appears on the screen as '

.

I know that wrapping the variable in a triple slash will prevent this from happening.

I processed the following line in triple stash as a quick test and it seemed fine. <p>hello<p>

would not like t '

t "This was displayed to show exactly how I wanted it.

My question is, is it safe to just wrap all variables in a triple stash? or will it have some unintended consequences that I have not considered?

thank

+3

encoding handlebars.js

DavidB 13 jan. 15 at 16:16

source to share

1 answer

raidendev · Accepted Answer · 2015-01-14T09:40:23+0000

By default, all double tags {{var}}

nested within Handlebars will be HTML escaped. This was done for security reasons to avoid DOM XSS . As your variable can contain any data including user data or any untrusted data.

In some cases, you will need to inject your data as is, without escaping. Where a triplex stamp is used {{{var}}}

. But every time you do this, you need to think about what might be in your data and can you trust it?

Learn more about HTML Escaping at Handlebars.

Manual triple trick to avoid exiting html objects

More articles: