Avoid XSS in Handlebars templates

Asked Mar 11 '15 at 17:44

Active Mar 11 '15 at 18:00

Viewed 2,048 times

We use Handlebars templates to render data from one of our APIs. The data contains HTML entities - for example:

Police officers won&#8217;t be able to fine you until 10 minutes after your ticket&nbsp;expires

Till now we've used the Handlebars triple brace to let those through, like:

<p class="title">{{{title}}}</p>

But our hosting service provider tells us this is an XSS risk, and that values need to be escaped. They tell us to use {{ }} so Handlebars escapes them. But when we do this, the HTML entities show up in the front end as entity strings.

Can anyone suggest an easy way we can secure our client-side Handlebars templates against cross-site scripting while allowing HTML entities for the most typical UTF-8 characters like the non-breaking space ( ) and left single quote (‘)? I've come across Yahoo Secure Handlebars Helpers, but that seems to be intended only for use with their Handlebars Context Pre-compiler, which I'm not familiar with and anyway seems to be a server-side utility.

edited Mar 11 '15 at 18:00

asked Mar 11 '15 at 17:44

And Finally

5,602
14
70
110

Did you end up finding an answer to this? – nelsonic Nov 17 '15 at 13:38
No, seems nobody has one. – And Finally Nov 18 '15 at 14:12
I wanted to mark this as a duplicate, but the other question didn't have any answer solving your security concerns - despite tons of votes. So I [added one](https://stackoverflow.com/a/34064434/785541). – Wladimir Palant Dec 03 '15 at 11:14
Thanks for link Wladimir Palant, you save my day! – user752746 Apr 10 '19 at 22:31

Avoid XSS in Handlebars templates

0 Answers0