Closed paul90 closed 8 years ago
I noticed this strange behavior. Seems independent of origins that I have updated to latest npm version. Also fails on chrome and Firefox. I don't recognize the x3D.
&x3D;
is I think an escaped equal sign
looks to be caused by the upgrade to Handlebars 4.x in hbs - back in October 2015!
The = character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e.
<div foo={{bar}}>
. In general it's recommended that attributes always be quoted when their values are generated from a mustache to avoid any potential exploit surfaces.
A request for a URL with a lineup, like
http://forage.rodwell.me/forage.ward.fed.wiki.org/weeds-in-the-farm/fedwikihappening.rodwell.me/weeds-in-the-farm
fails with the following in the page returned by the server.