Skip to content

Commit 1cdfff6

Browse files
committed
Add sentence explicitly warning about code injection in _.template
Per review comment by @colingm in #3013.
1 parent 54cf593 commit 1cdfff6

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

index.html

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2695,7 +2695,9 @@ <h2 id="utility">Utility Functions</h2>
26952695
<p role=note>
26962696
<em><tt>_.template</tt> allows the template author to insert arbitrary
26972697
JavaScript code by design. This means that you should only pass template
2698-
code from trusted authors.</em>
2698+
code and template settings from trusted authors. Passing untrusted input
2699+
to <tt>_.template</tt> <strong>will</strong> create a code injection
2700+
vulnerability in your application or library!</em>
26992701
</p>
27002702

27012703
<pre>

0 commit comments

Comments
 (0)