This handy client-side script registers the implementations of the contextual XSS escaping filters as handlebars' helpers, and is solely designed to be used with templates processed with the secure-handlebars package (e.g., <title>{{{yd title}}}</title> is one of the typical patterns of a processed template).
Download the latest version at dist/secure-handlebars-helpers.min.js, and embed it after the handlebars script file.
<script type="text/javascript" src="dist/handlebars.js"></script>
<script type="text/javascript" src="dist/secure-handlebars-helpers.min.js"></script>
<script type="text/javascript">
var templateSpec = Handlebars.compile("<title>{{{yd title}}}</title>");
// html is assigned <title><script>alert('xss')</script></title>
var data = {title: "<script>alert('xss')</script>"};
var html = templateSpec(data);
</script>Note: Read more about the underlying principle of contextual output filtering at xss-filters.
To contribute, you can help make changes in src/ and tests/, followed by the following commands:
$ npm run-script buildto build the standalone JavaScript for client-side use$ npm testto run the tests
This software is free to use under the Yahoo BSD license. See the LICENSE file for license text and copyright information.