Fix XSS vulnerability by defaulting to Handlebars html_escape formatting.
This commit is contained in:
Erki Esken
parent
c1ae1b7a52
commit
cd7ad61c79
3 changed files with 3 additions and 4 deletions
|
|
@ -14,7 +14,7 @@ flatbuffers = "0.6.1"
|
||||||
structopt = "0.3.17"
|
structopt = "0.3.17"
|
||||||
structopt-derive = "0.4.10"
|
structopt-derive = "0.4.10"
|
||||||
num_cpus = "1.0"
|
num_cpus = "1.0"
|
||||||
handlebars = "3.0.1"
|
handlebars = "3.5.3"
|
||||||
tempdir = "0.3.7"
|
tempdir = "0.3.7"
|
||||||
speculate = "0.1.2"
|
speculate = "0.1.2"
|
||||||
chrono = "0.4.11"
|
chrono = "0.4.11"
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,8 @@
|
||||||
use handlebars::{Handlebars, JsonRender, no_escape};
|
use handlebars::{Handlebars, JsonRender};
|
||||||
|
|
||||||
pub fn new<'r>() -> Handlebars<'r> {
|
pub fn new<'r>() -> Handlebars<'r> {
|
||||||
let mut handlebars = Handlebars::new();
|
let mut handlebars = Handlebars::new();
|
||||||
handlebars.register_helper("format_url", Box::new(format_helper));
|
handlebars.register_helper("format_url", Box::new(format_helper));
|
||||||
handlebars.register_escape_fn(no_escape);
|
|
||||||
|
|
||||||
handlebars
|
handlebars
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -304,7 +304,7 @@
|
||||||
var uri_prefix="{{uri_prefix}}";
|
var uri_prefix="{{uri_prefix}}";
|
||||||
|
|
||||||
function init_plugins() {
|
function init_plugins() {
|
||||||
{{#each js_init as |fn|}}{{fn}}
|
{{#each js_init as |fn|}}{{{fn}}}
|
||||||
{{/each}}
|
{{/each}}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue