SECURITY: Backported XSS fixes from Handlebars

2025-02-25 18:55:32 -06:00 · 2015-11-24 16:07:47 -05:00
parent f4d44187c8
commit 434deb1bd3
22 changed files with 70 additions and 30 deletions
--- a/vendor/assets/javascripts/handlebars.js
+++ b/vendor/assets/javascripts/handlebars.js
@@ -64,11 +64,16 @@ var __module3__ = (function(__dependency1__) {
    ">": "&gt;",
    '"': "&quot;",
    "'": "&#x27;",
-    "`": "&#x60;"
+    '`': '&#x60;',
+    '\n' : '\\n',   // NewLine
+    '\r' : '\\n',   // Return
+    '\b' : '\\b',   // Backspace
+    '\f' : '\\f',   // Form fee
+    '\t' : '\\t',   // Tab
+    '\v' : '\\v'   // Vertical Tab
  };
-
-  var badChars = /[&<>"'`]/g;
-  var possible = /[&<>"'`]/;
+  var badChars = /[&<>"'`\b\f\n\r\t\v]/g;
+  var possible = /[&<>"'`\b\f\n\r\t\v]/;

  function escapeChar(chr) {
    return escape[chr];