Permalink
Browse files

Allow 'filename' opt passed in data, but sanitize when rendered

  • Loading branch information...
1 parent 2aa2123 commit d4e61428c3d8b27e6873eaa86a47909f88b2964d @mde committed Dec 6, 2016
Showing with 3 additions and 2 deletions.
  1. +3 −2 lib/ejs.js
View
@@ -55,7 +55,7 @@ var _DEFAULT_LOCALS_NAME = 'locals';
var _NAME = 'ejs';
var _REGEX_STRING = '(<%%|%%>|<%=|<%-|<%_|<%#|<%|%>|-%>|_%>)';
var _OPTS = ['delimiter', 'scope', 'context', 'debug', 'compileDebug',
- 'client', '_with', 'rmWhitespace', 'strict'];
+ 'client', '_with', 'rmWhitespace', 'strict', 'filename'];
var _BOM = /^\uFEFF/;
/**
@@ -230,10 +230,11 @@ function includeSource(path, options) {
* @static
*/
-function rethrow(err, str, filename, lineno){
+function rethrow(err, str, flnm, lineno){
var lines = str.split('\n');
var start = Math.max(lineno - 3, 0);
var end = Math.min(lines.length, lineno + 3);
+ var filename = utils.escapeXML(flnm);
@rpaterson
rpaterson Dec 6, 2016 Contributor

This isn't quite right - should be using the configured escape function option.

@mde
mde Dec 6, 2016 Owner

Yes, I meant to put a FIXME to note that I should consider this, but I was rushing this fix out the door. The rethrow is not an instance method, so wiring that up would have taken a bit more time. Can you open an issue so I don't forget to do it? Or you could take a stab at it yourself.

// Error context
var context = lines.slice(start, end).map(function (line, i){
var curr = i + start + 1;

0 comments on commit d4e6142

Please sign in to comment.