In the Security section of the Meteor docs at the bottom of the page there’s a checklist. One of the item says
Don’t use raw HTML inclusion in Blaze unless you really know what you are doing.
The link provided forwards you to the Blaze Community Site, but I can’t find any mention of this security issue.
What exactly is raw HTML inclusion in the context of Blaze, and how is this a security issue?
Thanks for the quick response. So using Blaze.toHTML to render templates is ok. It’s only a security issue if I’m taking actual user input via an input or textarea for example, and then inserting that into the page’s html?
Yes that’s right! And by default Blaze will escape it for you.
Great. Thanks for clarifying.