HTML Escaping in Handlebars

Published at: 2017-01-01

When setting up this microblog I observed handlebars offers a neat built-in security feature: Automatic HTML Escaping for interpolated strings.

Meaning the following string being stored as html_fragment:

<p>This is some html-fragment I'd like to place into a html-layout-file</p>

being interpolated in:

<!DOCTYPE html>
…
{{ html_fragment }}
…

would result in:

<!DOCTYPE html>
…
&lt;&gt;This is some html-fragment I'd like to place into a html-layout-file&lt;&gt;
…

While I love the built-in default security behavior you sometimes want to disable it. Achieving this is quite easy, with the triple-stash:

<!DOCTYPE html>
…
{{{ html_fragment }}}
…

results in:

<!DOCTYPE html>
…
<p>This is some html-fragment I'd like to place into a html-layout-file</p>
…