diff options
| author | kpdecker <kpdecker@gmail.com> | 2015-09-01 01:44:35 -0500 |
|---|---|---|
| committer | kpdecker <kpdecker@gmail.com> | 2015-09-01 01:44:35 -0500 |
| commit | 83b8e846a3569bd366cf0b6bdc1e4604d1a2077e (patch) | |
| tree | 00d7d41a96485736369528be71b88ababc8419c5 /lib | |
| parent | b0d217e13df11cb8cc3e23b242d6e8e20b9c1f30 (diff) | |
| download | handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.zip handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.gz handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.bz2 | |
Escape = in HTML content
There was a potential XSS exploit when using unquoted attributes that this should help reduce.
Fixes #1083
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/handlebars/utils.js | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/handlebars/utils.js b/lib/handlebars/utils.js index 81050f9..d34646b 100644 --- a/lib/handlebars/utils.js +++ b/lib/handlebars/utils.js @@ -4,11 +4,12 @@ const escape = { '>': '>', '"': '"', "'": ''', - '`': '`' + '`': '`', + '=': '=' }; -const badChars = /[&<>"'`]/g, - possible = /[&<>"'`]/; +const badChars = /[&<>"'`=]/g, + possible = /[&<>"'`=]/; function escapeChar(chr) { return escape[chr]; |