secure-handlebars-helpersdeprecated

Client-side XSS filters for templates processed by context-parser-handlebars

Usage no npm install needed!

<script type="module">
  import secureHandlebarsHelpers from 'https://cdn.skypack.dev/secure-handlebars-helpers';
</script>

README

secure-handlebars-helpers

npm version dependency status Build Status

This handy client-side script registers the required XSS output filtering functions as handlebars' helpers, and is designed ONLY for templates that already have the context-sensitive filter markup (e.g., <title>{{{yd title}}}</title>) automatically inserted using secure-handlebars.

Quick Start

Client-side (browser)

Download the latest version at dist/secure-handlebars-helpers.min.js, and embed it after the handlebars script file.

<script type="text/javascript" src="dist/handlebars.js"></script>
<script type="text/javascript" src="dist/secure-handlebars-helpers.min.js"></script>

<script type="text/javascript">
var compiledTemplate = Handlebars.compile("<title>{{{yd title}}}</title>");
// html is assigned <title>&lt;script>alert('xss')&lt;/script></title>
var html = compiledTemplate({
    title: "<script>alert('xss')</script>"
});
</script>

Note: Read more about the underlying output filtering principle at xss-filters.

Contribute

To contribute, you will make changes in src/ and tests/, followed by the following commands:

  • $ npm run-script build to build the standalone JavaScript for client-side use
  • $ npm test to run the tests

License

This software is free to use under the Yahoo BSD license. See the LICENSE file for license text and copyright information.