Danappelxx
commented
3 years ago It is generally up to the user of Mustache to avoid XSS, but most string interpolation is HTML-escaped.
Closed PEIYANGXINQU closed 3 years ago
Danappelxx
commented
3 years ago It is generally up to the user of Mustache to avoid XSS, but most string interpolation is HTML-escaped.
At first ,I use doT.js,It seems that doT do not check the input content.If the content is alert(999),then it will execute and alert the window. Now I change to use mustache.js.It seems OK.How do mustache avoid xss attack?