🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

context-parser-handlebars

Package Overview
Dependencies
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

context-parser-handlebars

Handlebars Context PreCompiler

1.0.4
npm
Version published
Weekly downloads
3
-76.92%
Maintainers
1
Weekly downloads
 
Created
Source

Handlebars Context Pre-compiler

This pre-compiler is to automatically conduct HTML 5 context analysis on Handlebars templates, and insert markup of XSS filtering helpers to output expressions based on their surrounding contexts.

The resulted templates can then be further processed with the vanilla Handlebars template engine. With the context-sensitive helpers properly registered at runtime, the context-sensitive escaping will effectively defend against XSS attacks.

Quick Start

Server-side (as a CLI utility)

Install the context-parser-handlebars npm globally, so it can be used in any project.

npm install context-parser-handlebars -g

Given a handlebars template file like so:

<html><title>{{title}}</title></html>

Run through the handlebars template file with our Handlebars Context Pre-compiler, and you can see that context-sensitive helpers are added to output expressions like so:

$ handlebarspc <handlebars template file>
<html><title>{{{yd title}}}</title></html>

The resulted pre-compiled template file is fully-compatible with the vanilla Handlebars. See secure-handlebars-helpers on how to register the corresponding helpers on the client-side for context-sensitive filtering.

Note: the default context-insensitive HTML escaping by Handlebars is disabled with the raw {{{expression}}} to prevent redundant escaping.

Server-side (as a Node.js library)

Analyze the HTML contexts of Handlebars templates on server-side.

// create the precompiler
var ContextParserPreCompiler = require("context-parser-handlebars");
var preCompiler = new ContextParserPreCompiler();

// given data stores a handlebars template as string
var data = '<html><title>{{title}}</title></html>';

try {
    // analyze the HTML contexts
    preCompiler.contextualize(data);
    // return a processed handlebars template with context-sensitive helpers added! 
    // i.e., output is '<html><title>{{{yd title}}}</title></html>';
    var output = preCompiler.getOutput();
    // ...
} catch (err) {
    // ...
}
// ...

Development

How to test

npm test

Build

Build Status

Known Limitations

  • Our approach involves only static analysis on the template files, and thus dynamic raw data that may alter the execution context on the rendered HTML will NOT be taken into account.
  • We handle the HTML specification only, and provide no support to the JavaScript and CSS contexts right now.
  • We now assume that {{>partial}} is always placed in the HTML Data context, and by itself will result in the same Data context after its binding (hence, in-state and out-state are both of data context).

License

This software is free to use under the BSD license. See the LICENSE file for license text and copyright information.

Keywords

xss
security
escape
encode
filter
context

FAQs

Package last updated on 08 Mar 2015

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Meet Socket at Black Hat and DEF CON 2025 in Las Vegas

Security News

Meet Socket at Black Hat and DEF CON 2025 in Las Vegas

Meet Socket at Black Hat & DEF CON 2025 for 1:1s, insider security talks at Allegiant Stadium, and a private dinner with top minds in software supply chain security.

By Sarah Gooding  -  Jul 12, 2025