From 9eda17f85bfd8849850bdafa92d2f6ffe12bb71f Mon Sep 17 00:00:00 2001 From: Michael Bayne Date: Thu, 24 Dec 2015 13:48:07 -0800 Subject: [PATCH] Escape ` and = when escaping HTML. They can be used for nefarious purposes on old IEs. Refs wycats/handlebars.js@83b8e84 --- src/main/java/com/samskivert/mustache/Escapers.java | 4 +++- src/test/java/com/samskivert/mustache/SharedTests.java | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/main/java/com/samskivert/mustache/Escapers.java b/src/main/java/com/samskivert/mustache/Escapers.java index a380b67..b8a8a1e 100644 --- a/src/main/java/com/samskivert/mustache/Escapers.java +++ b/src/main/java/com/samskivert/mustache/Escapers.java @@ -15,7 +15,9 @@ public class Escapers { "'", "'" }, { "\"", """ }, { "<", "<" }, - { ">", ">" } + { ">", ">" }, + { "`", "`" }, + { "=", "=" } }); /** An escaper that does no escaping. */ diff --git a/src/test/java/com/samskivert/mustache/SharedTests.java b/src/test/java/com/samskivert/mustache/SharedTests.java index 645aebe..6106934 100644 --- a/src/test/java/com/samskivert/mustache/SharedTests.java +++ b/src/test/java/com/samskivert/mustache/SharedTests.java @@ -283,10 +283,11 @@ public abstract class SharedTests extends GWTTestCase } @Test public void testEscapeHTML () { - check("<b>", Mustache.compiler().compile("{{a}}"). - execute(context("a", ""))); + check("<b>", Mustache.compiler().compile("{{a}}").execute(context("a", ""))); check("", Mustache.compiler().escapeHTML(false).compile("{{a}}"). execute(context("a", ""))); + // ensure that some potential XSS enablers are escaped + check("`=", Mustache.compiler().compile("{{a}}").execute(context("a", "`="))); } @Test public void testUserDefinedEscaping() {