| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |\ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
lib/handlebars.js
test/index.html
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, only < and > were escaped. This meant that any Handlebars
template that used user input in an HTML attribute value was wide open
to a trivial XSS exploit. Note that unquoted attribute values are still
open to attack, but this set of characters at least brings Handlebars in
line with other Mustache implementations and other template languages.
See the OWASP XSS prevention cheat sheet (rule #1) for the rationale
behind escaping these characters:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
| | | | |
|
| | |/
|/| |
|
| | |
| |
| |
| | |
useful in scenarios where your context object is inherited from another system (such as a framework or JSON API) that may contain properties that conflict with helpers you explicitly define.
|
| |/
|
|
| |
top-level template methods
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
be subclassed.
* made it possible to define an alternate name lookup scheme (so that {{foo}} does not have to be
context.foo, but can instead be something like context.get('foo'))
* made it possible to substitute an alternate buffer instead of the default empty String and override how
the compiled template appends to the buffer
* Added the concept of template-local data. In order to enable template-local data, pass true
as the second parameter to the template compiler. Then, pass in the data as the fourth
parameter (context, helpers, partials, data). These signatures may change before the 1.0 release.
|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
faster. Use Handlebars.VM.compile instead of Handlebars.compile to use the optimized version.
Major TODOS:
* clean up a bunch of code duplication in the compiler
* reorganize the compiler
* add support for debug symbols which would make it possible
to provide information about what part of the source caused
a runtime error.
|
| | |
|
| |
|
|
| |
things like link_to in a Rails context)
|
| | |
|
| |
|
|
| |
the helpers or partials later
|
| |
|
|
|
|
| |
* foo"bar" is an invalid param
* {{foo}}bar{{/baz}} is invalid
* fix a number of issues with inverse sections
* add partials
|
| |
|
|
|
|
|
| |
* add helperMissing.not to the specs
* add Handlebars.Utils.isEmpty
* add runtime handling for inverse sections
* fix __get__ to pass an IdNode to evaluate
* handle case in wrapProgram where context is undefined
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* {{}} escape their contents, {{{}}} and {{& }} do not
* Add support in the parser, tokenizer and AST for partials
with context (support is still not there in the runtime)
* Fix some inconsistencies with the old behavior involving
the correct printing of null and undefined
* Add Handlebars.Exception
* Fixed an issue involving ./foo and this/foo
* Fleshed out helperMissing in the specs (this will be
moved out into handlebars proper once registerHelper
and registerPartial are added)
|
|
|
from the original suite to go
|
