Em.Handlebars.Utils.escapeExpression escapes = in 2.8 but doesn't in 2.7
#14297
Comments
|
We appear to be escaping the
|
|
Which is the same as in handlebars: https://github.com/wycats/handlebars.js/blob/e8ceafa6525a5d41a20aa74dfe24bf99d0bc2fcd/lib/handlebars/utils.js#L8
|
|
In a running 2.7 app the
...snip...
|
|
The handlebars-lang/handlebars.js@83b8e84#diff-ae3504422051de557ee42ced88f17a34 |
|
It looks like https://github.com/tildeio/htmlbars/blob/master/package.json#L46 This doesn't escape https://github.com/wycats/handlebars.js/blob/v3.0.2/lib/handlebars/utils.js#L2-L9 |
GavinJoyce
changed the title
Em.Handlebars.Utils.escapeExpression is different between 2.7 and 2.8Em.Handlebars.Utils.escapeExpression escapes = in 2.8 but doesn't in 2.7
|
This doesn't seem like an issue, support for escaping I'm going to close this, please let me know if you think this is incorrect |
There seems to be a difference in return value from
Em.Handlebars.Utils.escapeExpressionin Ember 2.7 and Ember 2.8:2.7:
Em.Handlebars.Utils.escapeExpression("http://foo.com?a=")returns:http://foo.com?a=2.8:
Em.Handlebars.Utils.escapeExpression("http://foo.com?a=")returns:http://foo.com?a=here's a twiddle: https://ember-twiddle.com/f3db021495d6dbbc1853c83a624e1faf?openFiles=controllers.application.js%2C
UPDATE: It [looks like](3.0.2 and 3.0.3) we were using an old version of Handlebars (
3.0.2) which didn't escape=.ember-glimmer/lib/utils/string.jsdoes escape it, bringing us up to date with latest Handlebars escaping rules.This doesn't seem like an issue, support for escaping
=was added in 2015 to prevent XSS.I'm going to close this, please let me know if you think this is incorrect
The text was updated successfully, but these errors were encountered: