Closed neraliu closed 9 years ago
the current secure-handlebars implementation of {{&expression}} is ignoring it without adding customized filters.
could you raise an issue at handlebars for clarification if its confusing and undocumented?
the mustache defines {{&expression}} as {{{rawexpression}}}, so the current implementation of secure-handlebars complies with it. https://github.com/wycats/handlebars.js/issues/1041
when i am inspecting the source code of the handlebars, i notice that the {{&expression}} will set the field "escaped" as false during the preparation of the MustacheStatement, it implies that the handlebars will handle it as {{{raw expression}}}. i am not 100% sure about what is the developer expectation when the {{&expression}} is being used, as i cannot find the documentation of this. this issue needs further investigation.
function prepareMustache https://github.com/wycats/handlebars.js/blob/2c1d509c6cafea145ece5ff9bc8b5c2ca98f9749/lib/handlebars/compiler/ast.js#L18