Script injection affects jquery template

Question

I tried to load string using {{ html }} in jquery template. But script injection affects {{html }}. How restrict script injection.

can you recreate the issue in http://jsfiddle.net/arunpjohny/6budswe9/1/ — Arun P Johny, Oct 15 '15 at 08:58
@ArunPJohny I updated the code in http://jsfiddle.net/6budswe9/3/ — user3312945, Oct 15 '15 at 10:02
see http://stackoverflow.com/questions/236073/why-split-the-script-tag-when-writing-it-with-document-write - it is not the problem of jquery-template.... it is because of how html is parsing the `script` tag — Arun P Johny, Oct 15 '15 at 10:16

score 0 · Answer 1 · edited May 23 '17 at 10:27

It is not the problem is jQuery-template, it is because that is how html parses the <script> element within string literals. See Why split the <script> tag when writing it with document.write()?

If you want to parse and execute the script, then an easy way is to move the script to a separate file(and include that file in the html page) instead of inlining it.

Or you can escape it like

testTemplate = "<i>{{html txt}}</i>";
$.template('testTemplate', testTemplate);
$.tmpl("testTemplate", {
  txt: "<b>bold</b> and \x3Cscript>alert('abc')\x3C/script>"
}).appendTo("#target");

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script src="http://ajax.microsoft.com/ajax/jquery.templates/beta1/jquery.tmpl.js"></script>
<ul id="target"></ul>

Is any other way to restrict that scenario? – user3312945 Oct 16 '15 at 04:54 — user3312945, Oct 16 '15 at 04:54
@user3312945 none that I'm aware of – Arun P Johny Oct 16 '15 at 04:55 — Arun P Johny, Oct 16 '15 at 04:55

Script injection affects jquery template

1 Answers1