When using the {{emoji-parse ...}} helper, I've realized it's very easy to introduce XSS vulnerability, as the helper uses htmlSafe right here, which causes Handlebars to wholesale not escape the output.
Any ideas to make this better? Is there any reason not to call Handlebars.escapeExpression on the provided input? Or maybe provide an option that we can pass to the helper?
If there isn't a good general solution, maybe just mentioning the use of htmlSafe in the documentation would suffice.
When using the
{{emoji-parse ...}}helper, I've realized it's very easy to introduce XSS vulnerability, as the helper useshtmlSaferight here, which causes Handlebars to wholesale not escape the output.Any ideas to make this better? Is there any reason not to call
Handlebars.escapeExpressionon the provided input? Or maybe provide an option that we can pass to the helper?If there isn't a good general solution, maybe just mentioning the use of
htmlSafein the documentation would suffice.