diff options
| author | kpdecker <kpdecker@gmail.com> | 2015-09-01 01:44:35 -0500 |
|---|---|---|
| committer | kpdecker <kpdecker@gmail.com> | 2015-09-01 01:44:35 -0500 |
| commit | 83b8e846a3569bd366cf0b6bdc1e4604d1a2077e (patch) | |
| tree | 00d7d41a96485736369528be71b88ababc8419c5 | |
| parent | b0d217e13df11cb8cc3e23b242d6e8e20b9c1f30 (diff) | |
| download | handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.zip handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.gz handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.bz2 | |
Escape = in HTML content
There was a potential XSS exploit when using unquoted attributes that this should help reduce.
Fixes #1083
| -rw-r--r-- | lib/handlebars/utils.js | 7 | ||||
| -rw-r--r-- | spec/utils.js | 1 |
2 files changed, 5 insertions, 3 deletions
diff --git a/lib/handlebars/utils.js b/lib/handlebars/utils.js index 81050f9..d34646b 100644 --- a/lib/handlebars/utils.js +++ b/lib/handlebars/utils.js @@ -4,11 +4,12 @@ const escape = { '>': '>', '"': '"', "'": ''', - '`': '`' + '`': '`', + '=': '=' }; -const badChars = /[&<>"'`]/g, - possible = /[&<>"'`]/; +const badChars = /[&<>"'`=]/g, + possible = /[&<>"'`=]/; function escapeChar(chr) { return escape[chr]; diff --git a/spec/utils.js b/spec/utils.js index 81732c5..7248ac4 100644 --- a/spec/utils.js +++ b/spec/utils.js @@ -18,6 +18,7 @@ describe('utils', function() { describe('#escapeExpression', function() { it('shouhld escape html', function() { equals(Handlebars.Utils.escapeExpression('foo<&"\'>'), 'foo<&"'>'); + equals(Handlebars.Utils.escapeExpression('foo='), 'foo='); }); it('should not escape SafeString', function() { var string = new Handlebars.SafeString('foo<&"\'>'); |