template function safety

[oshanz]

Mithril framework say that there is a security hole in underscore template function. Test results are at there home page. What you gays think?

[megawac]

This could be avoided by using <%- val -> instead of <%= val %>

See documentation

Template functions can both interpolate values, using <%= … %>, as well as execute arbitrary JavaScript code, with <% … %>. If you wish to interpolate a value, and have it be HTML-escaped, use <%- … %>.

http://jsbin.com/dabepopiyo

[jridgewell]

Saying underscore templates are unsafe by default is ingenuous. Use <%- %> instead of <%= %>.

Edit: Ha, @megawac beat me to it.

[jridgewell]

Apologies, I didn't mean to imply it's you, @oshanz. It's Mithril, and it's contributors should know better.

[jashkenas]

You can ping @lhorie about it.

[lhorie]

Uh, no, I'm not claiming there's a security hole in Underscore templates. What that demo aims to demonstrate is that it's easy for a developer to unintentionally do the wrong thing.