Closed mirozoo closed 11 years ago
Yeah, that makes sense. Would you mind submitting a PR for this? If not, I'll get to it at some point later.
It's a shame Handlebars offers no way to know if a helper was called with a double or triple stash (to determine if the input should be escaped or not) - there's an open issue for this here.
Merged with #8.
I discovered that the nl2br helper function returns a Handlebars.SafeString which isn't being escaped during rendering. While this is necessary to leave the inserted br-Tags untouched, it can cause security issues (e. g. XSS) if the INPUT string is not escaped. In my opinion this should be done before the replacement is performed: