@justinbmeyer justinbmeyer released this Oct 4, 2018 · 143 commits to master since this release

Assets 2


can-stache v4.14.0 - Fixes possible XSS attack
There's a reflective xss exploit possible when the programmer makes a programming error. If a template value is initialized as null, and then changed into a string containing some exploited string, the string is rendered as a html snippet instead of text.

For example:

var map = new SimpleMap({
     foo: null
var frag = stache("<div>{{foo}}</div>")(map);
map.set("foo", "<p></p>");

frag //-> "<div><p></p></div>"

PR: canjs/can-stache#601


  • can-fragment v1.3.0 - Support @can.toDOM
    This adds support to calling objects can.toDOM symbol and using the result of that to convert that object into a fragment. This is to clean up stache.safeString.