UNPKG

can-stache

Version:

Live binding handlebars templates

canjs.com/doc/can-stache.html

canjs/can-stache

61 lines (41 loc) 1.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
@function can-stache.safeString safeString @parent can-stache.static @description Indicate that a string does not need to be escaped to be safely inserted into the page. @signature `stache.safeString(str)` By default, stache tries to prevent some common forms of [cross site scripting attacks](https://en.wikipedia.org/wiki/Cross-site_scripting) by escaping content passed to tags like [can-stache.tags.escaped] and the result of helpers. However, one will often need to create helpers that return HTML content that shouldn’t be escaped. `stache.safeString` can be used to indicate that a returned string from a helper is safe: ```js stache.registerHelper( "myHelper", function() { return stache.safeString( "<blink>Hello There!</blink>" ); } ); ``` @param {String} str A string you don’t want to become escaped. @return {String} A string flagged by `stache` as safe, which will not become escaped, even if you use [can-stache.tags.escaped]. @body ## Use If you write a helper that generates its own HTML, you will usually want to return a `stache.safeString.` In this case, you will want to manually escape parameters with [can-string.esc]. ```js import string from "can-string"; stache.registerHelper( "link", function( text, url ) { text = string.esc( text ); url = string.esc( url ); const result = "<a href=\"" + url + "\">" + text + "</a>"; return stache.safeString( result ); } ); ``` Rendering: ```html <div>{{link "Google", "http://google.com"}}</div> ``` Results in: ```html <div><a href="http://google.com">Google</a></div> ``` As an anchor tag whereas if we would have just returned the result rather than a `stache.safeString` our template would have rendered a div with the escaped anchor tag.