Escape ` and = when escaping HTML.
They can be used for nefarious purposes on old IEs. Refs wycats/handlebars.js@83b8e84
This commit is contained in:
@@ -283,10 +283,11 @@ public abstract class SharedTests extends GWTTestCase
|
||||
}
|
||||
|
||||
@Test public void testEscapeHTML () {
|
||||
check("<b>", Mustache.compiler().compile("{{a}}").
|
||||
execute(context("a", "<b>")));
|
||||
check("<b>", Mustache.compiler().compile("{{a}}").execute(context("a", "<b>")));
|
||||
check("<b>", Mustache.compiler().escapeHTML(false).compile("{{a}}").
|
||||
execute(context("a", "<b>")));
|
||||
// ensure that some potential XSS enablers are escaped
|
||||
check("`=", Mustache.compiler().compile("{{a}}").execute(context("a", "`=")));
|
||||
}
|
||||
|
||||
@Test public void testUserDefinedEscaping() {
|
||||
|
||||
Reference in New Issue
Block a user