Skip to content

Commit

Permalink
Stringify things before calling escapeHtml on them in case their stri…
Browse files Browse the repository at this point in the history 
…ngified representation contains HTML.

This prevents a potential XSS attack.

Closes #449
  • Loading branch information
Seth Kinast committed Jan 9, 2015
1 parent 0e0fcbb commit 07344c0
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
5 changes: 4 additions & 1 deletion lib/dust.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -849,7 +849,10 @@
SQUOT = /\'/g;

dust.escapeHtml = function(s) {
if (typeof s === 'string') {
if (typeof s === "string" || (s && s.toString)) {
if (typeof s !== "string") {
s = s.toString();
}
if (!HCHARS.test(s)) {
return s;
}
Expand Down
7 changes: 7 additions & 0 deletions test/jasmine-test/spec/coreTests.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -688,6 +688,13 @@ var coreTests = [
},
expected: "1",
message: "should test using a multilevel reference as a key in array access"
},
{
name: "Outputting an array calls toString and HTML-encodes",
source: "{array}",
context: { "array": ["You & I", " & Moe"] },
expected: "You & I, & Moe",
message: "should HTML-encode stringified arrays referenced directly"
}
]
},
Expand Down

0 comments on commit 07344c0

Please sign in to comment.