在 Mustache 模板变量中混合未经净化的数据、HTML
我正在尝试将消息传递到 Mustache 模板,如下所示:
您提供的 url http://example.com 无效。
用户指定了URL,因此需要对URL进行转义。但是我想在 URL 周围放置 标签,这样它就可以从周围的文本中脱颖而出,因此代码标签需要在不被转义的情况下传递。
我可以写这样的内容:
{{text_before_url}}<code>{{url}}</code>{{text_after_url}}
但是,消息的文本各不相同,并且并不总是适合该结构。
我还可以尝试使用三个大括号 {{{messages}}} 输出原始文本,并使用 htmlentities($url) 之类的内容转义 URL,但如果有人稍后调整程序以传递新消息,并在没有意识到必须转义数据的情况下传递数据,那么我们就会陷入严重的 XSS 麻烦。
我可能只是运气不好,而且我了解拥有一个简单模板引擎的价值,但是有什么方法可以告诉 Mustache HTML 标签没问题,同时转义其余输出呢?
凯文
I'm trying to pass a message through to a Mustache template that looks something like this:
The url you provided, http://example.com, is not valid.
The user specifies the URL, so the URL needs to be escaped. However I want to put <code> tags around the URL, so it stands out from the surrounding text, so the code tags need to be passed through without being escaped.
I could write something like this:
{{text_before_url}}<code>{{url}}</code>{{text_after_url}}
However, the text of the message varies and it's not always going to fit that structure.
I could also try outputting the raw text with three braces, {{{messages}}}, and escaping the URL with something like htmlentities($url), but if someone adapts the program later to pass in a new message, and passes in data without realizing it has to be escaped, then we are in big XSS trouble.
I might just be out of luck, and I understand the value of having a simple templating engine, but is there some way I can tell Mustache that the HTML tags are OK, while escaping the rest of the output?
Kevin
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在模板内使用 {{variable}} 来达到 5 > 2 将导致
5 > 2,其中使用 {{{variable}}}(3 个胡子)将导致5 > 2..比照。文档: https://github.com/defunkt/mustache#escaping
Using {{variable}} inside a template for 5 > 2 will result in
5 > 2, where as the usage of {{{variable}}} (3 mustaches) will result in5 > 2.Cf. documentation: https://github.com/defunkt/mustache#escaping