We generally do not support scriptable context in secure-handlebars, as stated in README.md. However, using secure-handlebars still has the advantage over the original one. We now try to warn developers when placeholders are put in scriptable contexts as much as possible.
To catch all of them for warnings, it's known that we need to further implement a stack to trace the tag hierarchy. Hence, we won't miss those placeholders where their parent's (parent's)+ tagName is scriptable.
We generally do not support scriptable context in secure-handlebars, as stated in README.md. However, using secure-handlebars still has the advantage over the original one. We now try to warn developers when placeholders are put in scriptable contexts as much as possible.
We're aware of that some scriptable context are not classified as the SCRIPT_DATA state (e.g.,
<svg>
results in DATA state,<iframe srcdoc="">
is an attribute that can also result in script execution (https://github.com/yahoo/secure-handlebars/blob/master/src/handlebars-utils.js#L313)), as defined in the HTML5 specification.To catch all of them for warnings, it's known that we need to further implement a stack to trace the tag hierarchy. Hence, we won't miss those placeholders where their parent's (parent's)+ tagName is scriptable.
(note: right now, we do not give warning to the use of
<iframe srcdoc="">
. it is known issue as mentioned in https://github.com/yahoo/secure-handlebars/blob/master/src/handlebars-utils.js#L313 )