diff options
| author | kpdecker <kpdecker@gmail.com> | 2015-09-01 01:44:35 -0500 |
|---|---|---|
| committer | Hannah Wolfe <erisds@gmail.com> | 2016-02-08 18:56:04 +0000 |
| commit | 1c863e34abf04ba6a0095078658d334646aca5cc (patch) | |
| tree | 46ec576e08cdefca628b1858f0ce24a3424075ce | |
| parent | 891f48b7e9c321dd9cbe7a898533eb6b2434b8a0 (diff) | |
| download | handlebars.js-1c863e34abf04ba6a0095078658d334646aca5cc.zip handlebars.js-1c863e34abf04ba6a0095078658d334646aca5cc.tar.gz handlebars.js-1c863e34abf04ba6a0095078658d334646aca5cc.tar.bz2 | |
Escape = in HTML content
There was a potential XSS exploit when using unquoted attributes that this should help reduce.
Fixes #1083
| -rw-r--r-- | lib/handlebars/utils.js | 7 | ||||
| -rw-r--r-- | spec/utils.js | 1 |
2 files changed, 5 insertions, 3 deletions
diff --git a/lib/handlebars/utils.js b/lib/handlebars/utils.js index c522394..fc6dcfb 100644 --- a/lib/handlebars/utils.js +++ b/lib/handlebars/utils.js @@ -4,11 +4,12 @@ const escape = { '>': '>', '"': '"', "'": ''', - '`': '`' + '`': '`', + '=': '=' }; -const badChars = /[&<>"'`]/g, - possible = /[&<>"'`]/; +const badChars = /[&<>"'`=]/g, + possible = /[&<>"'`=]/; function escapeChar(chr) { return escape[chr]; diff --git a/spec/utils.js b/spec/utils.js index 81732c5..7248ac4 100644 --- a/spec/utils.js +++ b/spec/utils.js @@ -18,6 +18,7 @@ describe('utils', function() { describe('#escapeExpression', function() { it('shouhld escape html', function() { equals(Handlebars.Utils.escapeExpression('foo<&"\'>'), 'foo<&"'>'); + equals(Handlebars.Utils.escapeExpression('foo='), 'foo='); }); it('should not escape SafeString', function() { var string = new Handlebars.SafeString('foo<&"\'>'); |