Fix XSS vulnerability by defaulting to Handlebars html_escape formatting.
This commit is contained in:
parent
c1ae1b7a52
commit
cd7ad61c79
3 changed files with 3 additions and 4 deletions
|
@ -14,7 +14,7 @@ flatbuffers = "0.6.1"
|
|||
structopt = "0.3.17"
|
||||
structopt-derive = "0.4.10"
|
||||
num_cpus = "1.0"
|
||||
handlebars = "3.0.1"
|
||||
handlebars = "3.5.3"
|
||||
tempdir = "0.3.7"
|
||||
speculate = "0.1.2"
|
||||
chrono = "0.4.11"
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
use handlebars::{Handlebars, JsonRender, no_escape};
|
||||
use handlebars::{Handlebars, JsonRender};
|
||||
|
||||
pub fn new<'r>() -> Handlebars<'r> {
|
||||
let mut handlebars = Handlebars::new();
|
||||
handlebars.register_helper("format_url", Box::new(format_helper));
|
||||
handlebars.register_escape_fn(no_escape);
|
||||
|
||||
handlebars
|
||||
}
|
||||
|
|
|
@ -304,7 +304,7 @@
|
|||
var uri_prefix="{{uri_prefix}}";
|
||||
|
||||
function init_plugins() {
|
||||
{{#each js_init as |fn|}}{{fn}}
|
||||
{{#each js_init as |fn|}}{{{fn}}}
|
||||
{{/each}}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue