1

I have a Meteor 0.8.3 app with the template:

<template name="example">
    Description: {{desc}}
</template>

and javascript:

Template.example.desc = function(){
    return Session.get("desc");
}

where the user has set the Session's desc.

I want to mark up the text slightly before displaying it, eg. replacing carriage returns with <br>, and adding some word-breaks (html code &#8203;).

I believe I could do this with some regex replacements in Template.example.desc and triple-braces {{{desc}}} in the template - however, this opens the door to the user entering their own html into the string, which is unsafe. So I'd like to let Meteor first make the string safe, and only then apply my markup.

How do I do it? Thanks!

Racing Tadpole
  • 4,270
  • 6
  • 37
  • 56
  • Hi @Racing Tadpole, I am the guy who asked you about Leaderboard - Angular opinion on your blog. And yes at the end I built the whole thing with Meteor :) the world is small. – Anzel Oct 07 '14 at 12:26

1 Answers1

1

{{{desc}}} is the way to go. I do not see this as a security fault since you can only alter your own Session "desc". If you are talking about a variable that is saved in database and show to all users, a server side check or wrap the variable with your markup before sending back to client side will be more appropriate.

Anzel
  • 19,825
  • 5
  • 51
  • 52
  • Yes, small world! Thanks for your answer. Yes, in fact I am really talking about a variable from the database - can you expand on how you would do the check? Why do you suggest making it a server-side check? I am now thinking a client-side html escape function like http://stackoverflow.com/questions/1219860/html-encoding-in-javascript-jquery would work in `Template.example.desc`... – Racing Tadpole Oct 07 '14 at 22:32
  • I'm going to bed soon so I will write some code tomorrow. but first off, I need a clear understanding on what you're going to achieve. Are you going to store the RAW string in database and just want to wrap it with markup on template, or you want to store markup string in database? – Anzel Oct 08 '14 at 00:35
  • Hi Anzel, yes, I have the raw string in the database. I have now implemented a solution where the html is explicitly escaped on the client (eg. using the above-mentioned stackoverflow solution), and then I mark it up, and then display it with triple braces. I've just written this up as a separate blog post with my actual use-case (preventing table columns from being too wide) here: http://racingtadpole.com/blog/tables-without-layout-fixed/. Thanks for pointing me in the right direction! – Racing Tadpole Oct 08 '14 at 04:58
  • Hi @RacingTadpole, I saw your article. I'm glad you've solved it :) For your reference, you may check out `Spacebars.SafeString` for escape and consider using a template helper so you can reuse `myMarkUp`. – Anzel Oct 08 '14 at 08:17
  • Ah, `Spacebars.SafeString` looks like just what I was after - is there any documentation on this? – Racing Tadpole Oct 08 '14 at 22:19
  • Yes, here we go: [Spacebars SafeString](https://github.com/meteor/meteor/blob/devel/packages/spacebars/README.md#safestring), not very much in details though – Anzel Oct 09 '14 at 07:50