Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

htmlSafe vs {{{ }}}

See original GitHub issue

Question:

In my .hbs files, is there an advantage to passing htmlSafe=true, as opposed to just wrapping the whole thing in tripple braces? Both do the trick.

Eg:

{{t 'onboarding.step2.verifyLink' helpCenterUrl=helpCenterUrl htmlSafe=true}}

{{{t 'onboarding.step2.verifyLink' helpCenterUrl=helpCenterUrl}}}

Issue Analytics

State:
Created 5 years ago
Comments:12 (6 by maintainers)

Top GitHub Comments

2reactions

jasonmitcommented, Jan 25, 2019

@sbsurf no “built-in” way but this should achieve what you want.

/* app/services/intl.js */
import { assign } from '@ember/polyfills';
import IntlService from 'ember-intl/services/intl';

export default IntlService.extend({
  t(key, options) {
    return this._super(key, assign({ htmlSafe: true }, options));
  }
});

I don’t see a downside to this so long as you trust whoever is authoring translations 😃

2reactions

jasonmitcommented, Nov 27, 2018

Triple curlies are really unsafe, take the following example:

{{{t 'home.greet' name='<img src="" onerror="javascript:alert();">'}}}

This will evaluate the entire translation output, including the name argument, as HTML. You’ll see the alert fires.

htmlSafe is different in that it only treats the translation itself, not the argument values, as HTML. Every argument passed into the t helper is then escaped.

{{t 'home.greet' name='<img src="" onerror="javascript:alert();">' htmlSafe=true}}

Would escape name but treat the rest of the translation output as htmlSafe.

Top Results From Across the Web

htmlSafe - 4.8 - Ember API Documentation

A word of warning - The htmlSafe method does not make the string safe; it only tells the framework to treat the string...

raw vs. html_safe vs. h to unescape html - Stack Overflow

Considering Rails 3: html_safe actually "sets the string" as HTML Safe (it's a little more complicated than that, but it's basically it).

Replaces htmlSafe import incorrectly · Issue #85 - GitHub

The codemod inserts import { htmlSafe } from '@ember/template' but it ... And @ember/template gives me a 'module not found' at runtime.

Found unsafe method htmlSafe() JS-S1007 - DeepSource

Issue JS-S1007: Found unsafe method `htmlSafe()` ... especially if the string was generated from user input or some other untrusted source.

Phoenix.HTML v3.2.0 - HexDocs

HTML Safe. One of the main responsibilities of this module is to provide convenience functions for escaping and marking HTML code as safe....

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

htmlSafe vs {{{ }}}

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Using inline handlebars helpers within translation strings

Get current locale value (string or array?)