Are XSS triple brackets safe in Meteor?

Question

Are XSS triple brackets safe in Meteor?

Interestingly, the triple curly braces sanitize the user’s input inside the templates to be safe for XSS. Tags <script>will not be displayed, but what about other creepy XSS hacks?

Thanks in advance!

+4

meteor handlebars.js meteor-blaze

wtfzn Feb 11 '15 at 14:56

source share

1 answer

Akshat · Accepted Answer · 2015-02-11T17:13:38+0000

It is unsafe because you can still run malicious code, for example:

Template.xx.helpers({
    'bad':function() {
        return "<a href="#" onclick="alert('compromised');">CLICK ME PLZ!</a>";
    }
});

Template

<template name="xx"> {{{bad}}} </template>

This means that the user needs to click a button, but you can make it more confident using other events, such as onmouseover:

div , , . :

<div style="width:100%; height:100%; position: fixed;" onmouseover="console.log('haha');"></div>

, CSS ( content: z-index divs .

Are XSS triple brackets safe in Meteor?

More articles: