How do mustache avoid xss attack?

mustache / mustache.github.com

The {{official}} website

http://mustache.github.io/

Other

2.31k stars 293 forks source link

How do mustache avoid xss attack? #106

Closed PEIYANGXINQU closed 10 months ago

PEIYANGXINQU commented 6 years ago

At first ,I use doT.js,It seems that doT do not check the input content.If the content is alert(999),then it will execute and alert the window. Now I change to use mustache.js.It seems OK.How do mustache avoid xss attack?

FranklinYu commented 6 years ago

All variables are HTML escaped by default. If you want to return unescaped HTML, use the triple mustache: {{{name}}}.

You can also use & to unescape a variable: {{& name}}. This may be useful when changing delimiters (see "Set Delimiter" below).

From manual.

In addition, you may want to directly ask mustache.js.