Escape ` and = when escaping HTML.
They can be used for nefarious purposes on old IEs. Refs wycats/handlebars.js@83b8e84
This commit is contained in:
@@ -15,7 +15,9 @@ public class Escapers
|
||||
{ "'", "'" },
|
||||
{ "\"", """ },
|
||||
{ "<", "<" },
|
||||
{ ">", ">" }
|
||||
{ ">", ">" },
|
||||
{ "`", "`" },
|
||||
{ "=", "=" }
|
||||
});
|
||||
|
||||
/** An escaper that does no escaping. */
|
||||
|
||||
@@ -283,10 +283,11 @@ public abstract class SharedTests extends GWTTestCase
|
||||
}
|
||||
|
||||
@Test public void testEscapeHTML () {
|
||||
check("<b>", Mustache.compiler().compile("{{a}}").
|
||||
execute(context("a", "<b>")));
|
||||
check("<b>", Mustache.compiler().compile("{{a}}").execute(context("a", "<b>")));
|
||||
check("<b>", Mustache.compiler().escapeHTML(false).compile("{{a}}").
|
||||
execute(context("a", "<b>")));
|
||||
// ensure that some potential XSS enablers are escaped
|
||||
check("`=", Mustache.compiler().compile("{{a}}").execute(context("a", "`=")));
|
||||
}
|
||||
|
||||
@Test public void testUserDefinedEscaping() {
|
||||
|
||||
Reference in New Issue
Block a user