saponifi3d
commented
8 years ago Wow, I'm kinda amazed this was a thing and that it magically.
Mind adding a quick test case so we can avoid this in the future?
+1 lgtm
Closed jmerrifield closed 8 years ago
saponifi3d
commented
8 years ago Wow, I'm kinda amazed this was a thing and that it magically.
Mind adding a quick test case so we can avoid this in the future?
+1 lgtm
alexindigo
commented
8 years ago Sounds like next major.
These are automatically unescaped whenever they are rendered to the DOM, so doing it here actually unescapes the content too many times, opening up a potential XSS vector, e.g. when displaying escaped HTML in a _block.
See rendrjs/rendr-handlebars#61 for a more detailed explanation