Passing an object to client in node/express + ejs?

by

In Node.js:

res.render('mytemplate', {data: myobject});

In EJS:

<script type="text/javascript">
  var rows =<%-JSON.stringify(data)%>
</script>

SECURITY NOTE : Don’t use this to render an object with user-supplied data. It would be possible for someone like Little Bobby Tables to include a substring that breaks the JSON string and starts an executable tag or somesuch. For instance, in Node.js this looks pretty innocent…

var data = {"color": client.favorite_color}

but could result in a client-provided script being executed in user’s browsers if they enter a color such as:

"titanium </script><script>alert('pwnd!')</script> oxide"

If you need to include user-provided content, please see https://stackoverflow.com/a/37920555/645715 for a better answer using Base64 encoding

More Related Contents:

  1. Render a variable as HTML in EJS
  2. How to create global variables accessible in all views using Express / Node.JS?
  3. Displaying an image with EJS in node.js/express
  4. What is the proper way to check for existence of variable in an EJS template (using ExpressJS)?
  5. How to get GET (query string) variables in Express.js on Node.js?
  6. How do I debug error ECONNRESET in Node.js?
  7. req.body empty on posts
  8. bodyParser is deprecated express 4
  9. How to access the GET parameters after “?” in Express?
  10. Node.js – get raw request body using Express
  11. Express.js – app.listen vs server.listen
  12. How to use a variable as a field name in mongodb-native findOne()?
  13. How to implement a secure REST API with node.js
  14. Express.js routing: optional splat param?
  15. How to protect the password field in Mongoose/MongoDB so it won’t return in a query when I populate collections?
  16. Mongoose .find() method causes requests to hang
  17. Node.js with Express: how to redirect a POST request
  18. Express JS use async function on requests
  19. HTML to PDF with Node.js
  20. Using PassportJS, how does one pass additional form fields to the local authentication strategy?
  21. Hooking up express.js with Angular CLI in dev environment
  22. Having a hard time trying to understand ‘next/next()’ in express.js
  23. Is it possible to set a base URL for NodeJS app?
  24. Any way to serve static html files from express without the extension?
  25. Angularjs $http does not seem to understand “Set-Cookie” in the response
  26. Passing arguments to require (when loading module)
  27. Node.js – logging / Use morgan and winston
  28. Firebase Functions HTTPS 403 Forbidden
  29. Amazon EC2 NodeJS server stops itself after 2 days even after using sudo nohup
  30. adding .css file to ejs

Leave a Comment