Class SafeString

public

A wrapper around a string that has been marked as safe ("trusted"). When rendered in HTML, Ember will not perform any escaping.

Note:

  1. This does not make the string safe; it means that some code in your application has marked it as safe using the htmlSafe() function.

  2. The only public API for getting a SafeString is calling htmlSafe(). It is not user-constructible.

If a string contains user inputs or other untrusted data, you must sanitize the string before using the htmlSafe method. Otherwise your code is vulnerable to Cross-Site Scripting. There are many open source sanitization libraries to choose from, both for front end and server-side sanitization.

import { htmlSafe } from '@ember/template';

let someTrustedOrSanitizedString = "<div>Hello!</div>"

htmlSafe(someTrustedorSanitizedString);

Show:

Module: @ember/template
returns
String

the trusted string, without any escaping applied

Get the wrapped string as HTML to use without escaping.

Module: @ember/template
returns
String

The string marked as trusted

Get the string back to use as a string.