Blaze and raw HTML inclusion security


In the Security section of the Meteor docs at the bottom of the page there’s a checklist. One of the item says

Don’t use raw HTML inclusion in Blaze unless you really know what you are doing.

The link provided forwards you to the Blaze Community Site, but I can’t find any mention of this security issue.

What exactly is raw HTML inclusion in the context of Blaze, and how is this a security issue?


Look up “cross-site scripting”. Basically if you put raw user-provided HTML on your page users can hack other users by putting JavaScript in there.


Thanks for the quick response. So using Blaze.toHTML to render templates is ok. It’s only a security issue if I’m taking actual user input via an input or textarea for example, and then inserting that into the page’s html?


Yes that’s right! And by default Blaze will escape it for you.


Great. Thanks for clarifying.