Fix all XSS with underscore
Currently there is a lot of HTML strings inserted into CS/JS. This is bad practice and we really shouldn't do it. (I'm guilty of this myself).
We should store the templates elsewhere if possible so not to crowd the CS.
It would be good to put templates in a separate file or in the HTML in a
<script type = "text/template" id="new-thing-template">
template here.
</script>
When using underscore templates we must make sure we do proper XSS preventive measure. In your template use <%- %>
instead of <%= %>
.
This will alert
var insert = '<script>alert(\'hi there\')</script>';
var content = _.template('<div><strong>Tada</strong><%= txt %></div>')
$('#content').html(content({txt: insert}))
This willn't
var insert = '<script>alert(\'hi there\')</script>';
var content = _.template('<div><strong>Tada</strong><%- txt %></div>')
$('#content').html(content({txt: insert}))
Let's do a pass and make sure that we aren't guilty of any XSS via this method and if so fix it.
In the meantime let's get some 2 way binding going so we won't have this problem again.
Also open to other suggestions.
cc @iamphill @annabeldunstone @alfredo1 @lbennett @connorshea @fatihacet @DouweM