Merge pull request #84 from ohwillie/unsafe-html

json Handlebars helper allows unsafe HTML
bee-queue · Jan 21, 2018 · 164ec86 · 164ec86
2 parents c0a2658 + 389f3f6
commit 164ec86
Showing 1 changed file with 23 additions and 13 deletions.
diff --git a/src/server/views/helpers/handlebars.js b/src/server/views/helpers/handlebars.js
@@ -1,15 +1,25 @@
 const _ = require('lodash');
-const Handlerbars = require('handlebars');
+const Handlebars = require('handlebars');
+
+const replacer = (key, value) => {
+  if (_.isObject(value)) {
+    return _.transform(value, (result, v, k) => {
+      result[Handlebars.Utils.escapeExpression(k)] = v;
+    });
+  } else if (_.isString(value)) {
+    return Handlebars.Utils.escapeExpression(value);
+  } else {
+    return value;
+  }
+};
 
 const helpers = {
   json(obj, pretty = false) {
-    var d;
+    const args = [obj, replacer];
     if (pretty) {
-      d = JSON.stringify(obj, null, 2);
-    } else {
-      d = JSON.stringify(obj);
+      args.push(2);
     }
-    return new Handlerbars.SafeString(d);
+    return new Handlebars.SafeString(JSON.stringify(...args));
   },
 
   adjustedPage(currentPage, pageSize, newPageSize) {
@@ -18,19 +28,19 @@ const helpers = {
   },
 
   block(name) {
-    var blocks = this._blocks;
-        content = blocks && blocks[name];
+    const blocks = this._blocks;
+    const content = blocks && blocks[name];
     return content ? content.join('\n') : null;
   },
 
-  contentFor: function(name, options) {
-    var blocks = this._blocks || (this._blocks = {});
-        block = blocks[name] || (blocks[name] = []);
+  contentFor(name, options) {
+    const blocks = this._blocks || (this._blocks = {});
+    const block = blocks[name] || (blocks[name] = []);
     block.push(options.fn(this));
   },
 
-  encodeIdAttr: function (id) {
-      return id.replace(/:| /g, "");
+  encodeIdAttr(id) {
+    return id.replace(/:| /g, '');
   }
 };