Current template helper functions such as t or n wrap output implicitly in Ember.String.htmlSafe() calls, which could lead to potential security lacks when using in combination with user inputs. Therefore, it should be stripped out and hand responsibility for marking output as HTML safe to addon consumer. This can be done as follows:
HBS:
{{{t "<strong>unescaped text</strong>"}}}
JS:
let trans = l10n.t("<strong>unescaped text</strong>");
let safe = Ember.String.htmlSafe(trans);
Current template helper functions such as
tornwrap output implicitly inEmber.String.htmlSafe()calls, which could lead to potential security lacks when using in combination with user inputs. Therefore, it should be stripped out and hand responsibility for marking output as HTML safe to addon consumer. This can be done as follows:HBS:
JS: