branch: elpa/web-mode
commit 0fbf1026169eb21544a9a784da99025295ede058
Author: Anders Kaseorg <[email protected]>
Commit: Anders Kaseorg <[email protected]>
Fix ‘{{~’ completion for Handlebars
We should not autocomplete ‘{{~’ to ‘{{~{ | }}}’, as that unexpectedly
disables HTML escaping in Handlebars, leading to cross-site scripting
vulnerabilities.
Instead, autocomplete ‘{{~ ’ to ‘{{~ | }}’ and ‘{{~{’ to ‘{{~{ | }}}’.
Signed-off-by: Anders Kaseorg <[email protected]>
---
web-mode.el | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/web-mode.el b/web-mode.el
index 03be12e3b5..fb41cc78f4 100644
--- a/web-mode.el
+++ b/web-mode.el
@@ -1172,9 +1172,10 @@ Must be used in conjunction with
web-mode-enable-block-face."
("<%=" . " | %>")
("<%#" . " | %>")))
("ctemplate" . (("{{ " . "| }}")
+ ("{{~ " . "| }}")
("{{{" . " | }}}")
("{~{" . " | }}")
- ("{{~" . "{ | }}}")
+ ("{{~{" . " | }}}")
("{{!" . "-- | --}}")
("{{^" . "}}")
("{{/" . "}}")
