I'm wondering how to escape variables in my view, in my Node.js project.
For example #{name} in my .jade view file seems vulnerable to SQL Injection or XSS. Is there a standard way to resolve this? I know in ruby I would do <%= h name %> for example...
Actually want #{} for some reason? escape it!
p \#{something}
now we have <p>#{something}</p>
We can also utilize the unescaped variant !{html}, so the following will result in a literal script tag:
- var html = "<script></script>"
| !{html}