Add ", ', and / to the list of chars that need HTML escaping.

Previously, only < and > were escaped. This meant that any Handlebars
template that used user input in an HTML attribute value was wide open
to a trivial XSS exploit. Note that unquoted attribute values are still
open to attack, but this set of characters at least brings Handlebars in
line with other Mustache implementations and other template languages.

See the OWASP XSS prevention cheat sheet (rule #1) for the rationale
behind escaping these characters:

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

1 files changed, 6 insertions, 3 deletions

diff --git a/lib/handlebars/utils.js b/lib/handlebars/utils.js
index 981bb1f..1584986 100644
--- a/lib/handlebars/utils.js
+++ b/lib/handlebars/utils.js
@@ -16,11 +16,14 @@ Handlebars.SafeString.prototype.toString = function() {
 (function() {
   var escape = {
     "<": "&lt;",
-    ">": "&gt;"
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#x27;",
+    "/": "&#x2F;"
   };
 
-  var badChars = /&(?!\w+;)|[<>]/g;
-  var possible = /[&<>]/
+  var badChars = /&(?!\w+;)|[<>"'\/]/g;
+  var possible = /[&<>"'\/]/;
 
   var escapeChar = function(chr) {
     return escape[chr] || "&amp;"