Function
htmlSafe SafeString public
Module:
@ember/template
Defined in packages/@ember/-internals/glimmer/lib/utils/string.ts:61
import { htmlSafe } from '@ember/template'; |
- returns
- SafeString
- A string that will not be HTML escaped by Handlebars.
Use this method to indicate that a string should be rendered as HTML
when the string is used in a template. To say this another way,
strings marked with htmlSafe will not be HTML escaped.
A word of warning - The htmlSafe method does not make the string safe;
it only tells the framework to treat the string as if it is safe to render
as HTML. If a string contains user inputs or other untrusted
data, you must sanitize the string before using the htmlSafe method.
Otherwise your code is vulnerable to
Cross-Site Scripting.
There are many open source sanitization libraries to choose from,
both for front end and server-side sanitization.
1 2 3 4 5 |
import { htmlSafe } from '@ember/template'; const someTrustedOrSanitizedString = "<div>Hello!</div>" htmlSafe(someTrustedorSanitizedString) |