In Ember, always use {{...}}
, not {{{...}}}
. Use Ember.String.htmlSafe
as necessary in JavaScript (usually in a component)
to mark markup as HTML-safe. Never pass user-entered content directly to Ember.String.htmlSafe
.
Ember has great XSS protection built in. The HTMLBars templating library will automatically run any interpolations through
htmlEscape
for you. So