Fix XSS vulnerability by defaulting to Handlebars html_escape formatting.

Cargo.toml

@@ -14,7 +14,7 @@ flatbuffers = "0.6.1"
 structopt = "0.3.17"
 structopt-derive = "0.4.10"
 num_cpus = "1.0"
-handlebars = "3.0.1"
+handlebars = "3.5.3"
 tempdir = "0.3.7"
 speculate = "0.1.2"
 chrono = "0.4.11"

src/formatter.rs

@@ -1,9 +1,8 @@
-use handlebars::{Handlebars, JsonRender, no_escape};
+use handlebars::{Handlebars, JsonRender};
 
 pub fn new<'r>() -> Handlebars<'r> {
     let mut handlebars = Handlebars::new();
     handlebars.register_helper("format_url", Box::new(format_helper));
-    handlebars.register_escape_fn(no_escape);
 
     handlebars
 }

static/index.html

@@ -304,7 +304,7 @@
         var uri_prefix="{{uri_prefix}}";
 
         function init_plugins() {
-            {{#each js_init as |fn|}}{{fn}}
+            {{#each js_init as |fn|}}{{{fn}}}
             {{/each}}
         }