Snyk warning: Cross-site Scripting (XSS)
Closed this issue · 1 comments
magynhard commented
Thank you for your information.
The example there is general blah blah. CurlyBracketParser is not a template library, but a general string parser, independent of HTML or web. We explicitly don't want to sanitize strings, because we don't want to change the original data input. It is a design decision whether implicit sanitizing is supported or explicitly left to the developer. This is not the case here, nor is it planned.
In summary: The linked report is bullshit.
So have fun, using CurlyBracketParser. If you need a good templating engine, have a look at EJS.