Skip to content
This repository has been archived by the owner on Nov 22, 2018. It is now read-only.

Commit

Permalink
added security notes for developers
Browse files Browse the repository at this point in the history 
Added notes for developers about security for preventing HTML injection attacks.
  • Loading branch information
@sdiemert
sdiemert committed Jul 17, 2015
1 parent d9e1eba commit a6e38bf
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
# Developer Notes

## Security

### Preventing HTML Injection

* To prevent HTML injection attacks, ensure that all text rendered to the page has any special html characters escaped.
* See disscussion on HTML injection: [http://stackoverflow.com/a/3793406](http://stackoverflow.com/a/3793406)
* When using handlebarjs to render text, if the `{{ text }}` syntax is used, the `text` will be passed through an `escapeExpression()` function that replaces HTML special characters. When using the `{{{ text }}}` no escape function is called. When in doubt, use `{{ }}`.
* See discussion about `handlebars.escapeExpression(String)` at [http://handlebarsjs.com/reference.html](http://handlebarsjs.com/reference.html).
# Setup

## Dependencies
Expand Down

0 comments on commit a6e38bf

Please sign in to comment.