From 5f5ab84085e83dac7b39fb9019bdb33930d72703 Mon Sep 17 00:00:00 2001
From: Rob Hanlon <rob.hanlon@substantial.com>
Date: Fri, 19 Jan 2018 06:45:03 -0800
Subject: [PATCH] Escape keys as well

---
 src/server/views/helpers/handlebars.js | 27 +++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/server/views/helpers/handlebars.js b/src/server/views/helpers/handlebars.js
index dc64dffa..cf52ffba 100644
--- a/src/server/views/helpers/handlebars.js
+++ b/src/server/views/helpers/handlebars.js
@@ -1,8 +1,17 @@
-const _ = require('lodash');
-const Handlebars = require('handlebars');
+const _ = require("lodash");
+const Handlebars = require("handlebars");
 
-const replacer = (key, value) =>
-    _.isString(value) ? Handlebars.Utils.escapeExpression(value) : value;
+const replacer = (key, value) => {
+  if (_.isObject(value)) {
+    return _.transform(value, (result, v, k) => {
+      result[Handlebars.Utils.escapeExpression(k)] = v;
+    });
+  } else if (_.isString(value)) {
+    return Handlebars.Utils.escapeExpression(value);
+  } else {
+    return value;
+  }
+};
 
 const helpers = {
   json(obj, pretty = false) {
@@ -20,18 +29,18 @@ const helpers = {
 
   block(name) {
     var blocks = this._blocks;
-        content = blocks && blocks[name];
-    return content ? content.join('\n') : null;
+    content = blocks && blocks[name];
+    return content ? content.join("\n") : null;
   },
 
   contentFor: function(name, options) {
     var blocks = this._blocks || (this._blocks = {});
-        block = blocks[name] || (blocks[name] = []);
+    block = blocks[name] || (blocks[name] = []);
     block.push(options.fn(this));
   },
 
-  encodeIdAttr: function (id) {
-      return id.replace(/:| /g, "");
+  encodeIdAttr: function(id) {
+    return id.replace(/:| /g, "");
   }
 };