Execute scripts from InnerHTML in template

Hi there,

I know that Meteor doesn’t have an ability to run scripts from the template (like script tag) and it sounds like a bad practice, but we have pretty special use case. I’m downloading external webpages, inserting them using InnerHTML to the iframe and then making different manipulations (like editing dom elements, styles, etc). So all these pages contains scripts like jquery, carousel and so on and I need to execute them somehow to display pages properly. I know that by using eval() you can run scripts inside InnerHTML, but it looks like it doesn’t work for Meteor apps. Maybe someone have any idea how I can solve such problem?

Looks like I found a solution. I’m downloading all files using http.get, concating them into one string and then evaluating inside my iframe. The question is: Is it safe to download JS files on the server side? Downloading is not working from the client side because of CORS, so I’m using http get inside method and then send it to the client as response. Sounds like a potential security vulnerability to me, but I’m not sure.

Are you worrying about XSS? I think as long as you are sanitizing it properly before outputting it into the dom it should be good

1 Like