Skip to content
This repository has been archived by the owner on Mar 22, 2019. It is now read-only.

Commit

Permalink
Merge pull request #2097 from emberjs/bound-attribute-warning
Browse files Browse the repository at this point in the history
Adds a guide on bound `style` warning
  • Loading branch information
rwjblue committed Mar 25, 2015
2 parents 743022b + 9ea98a1 commit 0d29165
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions source/deprecations/v1.x.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,42 @@ App.instanceInitializer({

Added in [PR #10256](https://github.com/emberjs/ember.js/pull/10256).

#### Warning When Binding Style Attributes

Content in Handlebars templates is automatically HTML-escaped to help
developers prevent inadvertently introducing cross-site scripting (XSS)
vulnerabilities into their applications. If you want to display trusted
content as HTML, you can use a `SafeString`, a special string that tells Ember
that the content should be displayed without escaping.

While this works great for HTML, there are some cases where you may bind user
data that the browser interprets as CSS, not HTML. For example, you may bind
the `style` attribute of an element:

```handlebars
<div style={{myStyle}}></div>
```

Handlebars only escapes HTML, not CSS, so this may introduce a potential XSS
vulnerability into your application if a malicious user is able to provide data
used in the `myStyle` property.

Starting in Ember 1.11, you will receive a warning if you attempt to bind the
`style` attribute of an element. Once you have verified that the content being
displayed is trusted and properly escaped, you can disable the warning by
making the content a `SafeString`. For example:

```js
myStyle: function() {
var color = escapeCSS(this.get('color'));
return ("color: " + color).htmlSafe();
}.property('color')
```

You can learn more about `SafeString`s and writing code that prevents XSS
attacks by reading the [Writing
Helpers](http://emberjs.com/guides/templates/writing-helpers/) guide.

### Deprecations Added in 1.12

#### Deprecate non-block-params {{each}} helper syntax
Expand Down

0 comments on commit 0d29165

Please sign in to comment.