问题描述
我使用句柄,并且如果处理了诸如' 的转义字符,它在屏幕上以&#39 ; 。
我知道用三重隐藏包装变量会防止这种情况发生。
我在三重存储中处理了以下字符串作为快速测试,它似乎很好< p> hello< p> would not wouldn <$ c
$ b
我的问题是,它是安全的吗?简单地将所有变量包装在三重藏匿中?或者会有一些无法预料的后果我还没有考虑过?
谢谢
默认情况下,所有双隐藏在Handlebars中的 {{var}} 嵌入式将被HTML转义。它出于安全原因执行,以避免漏洞。因为您的变量可能包含任何数据,包括用户数据或任何类型的不可信数据。
在某些情况下,您将需要按原样嵌入数据,而不会转义。使用tripple-stash {{{var}}} 。但是每次这样做时,您都需要考虑数据中可能包含的内容,并且可以信任它?
了解更多关于。
I use handlebars, and if an escaped character such as ' is processed it is rendered on screen as '.
I know wrapping the variable in a triple-stash will prevent this.
I processed the following string within a triple-stash as a quick test and it seemed fine "<p>hello<p>wouldn't wouldn't" This rendered to screen exactly how I wanted it to.
My question is, is it safe to simply wrap all variables in triple-stash? or will this have some unforeseen consequences I haven't considered?
Thanks
By default all double-stashed {{var}} embeds in Handlebars will be HTML-escaped. It's performed for security reasons to avoid DOM XSS vulnerabilities. Because your variable may contain any data including user-data or any kind of untrusted data.
In some cases you will need to embed your data as-is, without escaping. There is where tripple-stash {{{var}}} used. But every time doing this, you need to think what may be in your data and can you trust it?
Read more about HTML Escaping on Handlebars site.
这篇关于把手三重藏匿,以避免逃离html实体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!