From 6c91f50f9684ca51b3d88a6486b4f1d61b62bba4 Mon Sep 17 00:00:00 2001 From: Josh Callender Date: Tue, 17 Feb 2015 18:36:06 -0800 Subject: [PATCH] WIP - Sanitize the appData and bootstrappedData --- server/viewEngine.js | 10 ++++++++-- shared/base/view.js | 2 ++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/server/viewEngine.js b/server/viewEngine.js index cecf4da7..943642ea 100644 --- a/server/viewEngine.js +++ b/server/viewEngine.js @@ -1,5 +1,6 @@ var path = require('path'), _ = require('underscore'), + sanitizer = require('sanitizer'), layoutTemplates = {}; module.exports = exports = ViewEngine; @@ -20,13 +21,18 @@ ViewEngine.prototype.render = function render(viewPath, data, callback) { app = data.app; layoutData = _.extend({}, data, { body: this.getViewHtml(viewPath, data.locals, app), - appData: app.toJSON(), - bootstrappedData: this.getBootstrappedData(data.locals, app), + appData: this.escapeAndStringify(app.toJSON()), + bootstrappedData: this.escapeAndStringify(this.getBootstrappedData(data.locals, app)), _app: app }); + this.renderWithLayout(layoutData, app, callback); }; +ViewEngine.prototype.escapeAndStringify = function escapeAndStringify(data) { + return sanitizer.escape(JSON.stringify(data)); +}; + /** * Render with a layout. */ diff --git a/shared/base/view.js b/shared/base/view.js index 35212e84..15e6c072 100644 --- a/shared/base/view.js +++ b/shared/base/view.js @@ -9,6 +9,7 @@ var _ = require('underscore'), Backbone = require('backbone'), async = require('async'), isServer = (typeof window === 'undefined'), + sanitizer = require('sanitizer'), BaseView; if (!isServer) { @@ -432,6 +433,7 @@ BaseView.getViewOptions = function ($el) { parsed = _.unescape(value); try { parsed = JSON.parse(parsed); + parsed = sanitizer.unescapeEntities(parse); } catch (err) {} options[key] = parsed; }