Class SafeString

public

A wrapper around a string that has been marked as safe ("trusted"). When rendered in HTML, Ember will not perform any escaping.

Note:

  1. This does not make the string safe; it means that some code in your application has marked it as safe using the htmlSafe() function.

  2. The only public API for getting a SafeString is calling htmlSafe(). It is not user-constructible.

If a string contains user inputs or other untrusted data, you must sanitize the string before using the htmlSafe method. Otherwise your code is vulnerable to Cross-Site Scripting. There are many open source sanitization libraries to choose from, both for front end and server-side sanitization.

1
2
3
4
5
import { htmlSafe } from '@ember/template';

let someTrustedOrSanitizedString = "<div>Hello!</div>"

htmlSafe(someTrustedorSanitizedString);

Show:

Methods

Properties

No documented items

Events

No documented items