WIP - Sanitize the appData and bootstrappedData

rendrjs · Feb 18, 2015 · 6c91f50 · 6c91f50
1 parent ff6323d
commit 6c91f50
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/server/viewEngine.js b/server/viewEngine.js
@@ -1,5 +1,6 @@
 var path = require('path'),
     _ = require('underscore'),
+    sanitizer = require('sanitizer'),
     layoutTemplates = {};
 
 module.exports = exports = ViewEngine;
@@ -20,13 +21,18 @@ ViewEngine.prototype.render = function render(viewPath, data, callback) {
   app = data.app;
   layoutData = _.extend({}, data, {
     body: this.getViewHtml(viewPath, data.locals, app),
-    appData: app.toJSON(),
-    bootstrappedData: this.getBootstrappedData(data.locals, app),
+    appData: this.escapeAndStringify(app.toJSON()),
+    bootstrappedData: this.escapeAndStringify(this.getBootstrappedData(data.locals, app)),
     _app: app
   });
+
   this.renderWithLayout(layoutData, app, callback);
 };
 
+ViewEngine.prototype.escapeAndStringify = function escapeAndStringify(data) {
+  return sanitizer.escape(JSON.stringify(data));
+};
+
 /**
  * Render with a layout.
  */

diff --git a/shared/base/view.js b/shared/base/view.js
@@ -9,6 +9,7 @@ var _ = require('underscore'),
     Backbone = require('backbone'),
     async = require('async'),
     isServer = (typeof window === 'undefined'),
+    sanitizer = require('sanitizer'),
     BaseView;
 
 if (!isServer) {
@@ -432,6 +433,7 @@ BaseView.getViewOptions = function ($el) {
       parsed = _.unescape(value);
       try {
         parsed = JSON.parse(parsed);
+        parsed = sanitizer.unescapeEntities(parse);
       } catch (err) {}
       options[key] = parsed;
     }