把手三重藏匿，以避免逃离html实体 [英] Handlebars triple-stash to avoid escaping html entities

问题描述

我使用句柄，并且如果处理了诸如&＃39; 的转义字符，它在屏幕上以&＃39 ; 。

我知道用三重隐藏包装变​​量会防止这种情况发生。

我在三重存储中处理了以下字符串作为快速测试，它似乎很好< p> hello< p> would not wouldn <$ c
$ b

我的问题是，它是安全的吗？简单地将所有变量包装在三重藏匿中？或者会有一些无法预料的后果我还没有考虑过？

谢谢

解决方案

默认情况下，所有双隐藏在Handlebars中的 {{var}} 嵌入式将被HTML转义。它出于安全原因执行，以避免 DOM XSS 漏洞。因为您的变量可能包含任何数据，包括用户数据或任何类型的不可信数据。

在某些情况下，您将需要按原样嵌入数据，而不会转义。使用tripple-stash {{{var}}} 。但是每次这样做时，您都需要考虑数据中可能包含的内容，并且可以信任它？

了解更多关于 Handlebars网站上的HTML转义。

I use handlebars, and if an escaped character such as ' is processed it is rendered on screen as '.

I know wrapping the variable in a triple-stash will prevent this.

I processed the following string within a triple-stash as a quick test and it seemed fine "<p>hello<p>wouldn't wouldn't" This rendered to screen exactly how I wanted it to.

My question is, is it safe to simply wrap all variables in triple-stash? or will this have some unforeseen consequences I haven't considered?

Thanks

解决方案

By default all double-stashed {{var}} embeds in Handlebars will be HTML-escaped. It's performed for security reasons to avoid DOM XSS vulnerabilities. Because your variable may contain any data including user-data or any kind of untrusted data.

In some cases you will need to embed your data as-is, without escaping. There is where tripple-stash {{{var}}} used. But every time doing this, you need to think what may be in your data and can you trust it?

Read more about HTML Escaping on Handlebars site.

这篇关于把手三重藏匿，以避免逃离html实体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！