Class SafeString

public

Defined in: packages/@ember/-internals/glimmer/lib/utils/string.ts:7

Since: v4.12.0

A wrapper around a string that has been marked as safe ("trusted"). When rendered in HTML, Ember will not perform any escaping.

Note:

This does not make the string safe; it means that some code in your application has marked it as safe using the htmlSafe() function.
The only public API for getting a SafeString is calling htmlSafe(). It is not user-constructible.

If a string contains user inputs or other untrusted data, you must sanitize the string before using the htmlSafe method. Otherwise your code is vulnerable to Cross-Site Scripting. There are many open source sanitization libraries to choose from, both for front end and server-side sanitization.

import { htmlSafe } from '@ember/template';

let someTrustedOrSanitizedString = "<div>Hello!</div>"

htmlSafe(someTrustedorSanitizedString);

Show: Inherited Protected Private Deprecated

toHTML String public

Module: @ember/template

Defined in packages/@ember/-internals/glimmer/lib/utils/string.ts:58

returns: String; the trusted string, without any escaping applied

Get the wrapped string as HTML to use without escaping.

toString String public

Module: @ember/template

Defined in packages/@ember/-internals/glimmer/lib/utils/string.ts:47

returns: String; The string marked as trusted

Get the string back to use as a string.