How to pass <script> as a string to a blaze layout


#1

Currently I store in my database the content of a page as the html of it. When I bring this data to blaze I use: {{{content}}} which loads html code as its supposed to be. The only problem is that when I send in the string a element, this doesnt render through the {{{content}}}. Does anyone know how to render this?

A example of content could be:

content: "<script src=\"https://fast.wistia.com/assets/external/E-v1.js\" async></script><p>This is a test</p>"

This content would only render the

element but the is never loaded (as if its been excluded).


#2

Hi,
You can try $.getScript("");

inside onRendered Method, Use

$.getScript(“https://fast.wistia.com/assets/external/E-v1.js”,function(){
console.log(“Script loaded”);
});


#3

Here is an example how I rendered contracts that are Blaze templates saved as strinngs in the database. It works but has an ugly eval in it, so maybe somebody has a better idea.
Don’t worry that the code is in CoffeeScript, that’s just better JavaScript.

Template.ocupacionesContrato.onCreated ->
    ...
    @texto = new ReactiveVar()

Template.ocupacionesContrato.helpers
    texto: () -> Template.instance().texto.get()

Template.ocupacionesContrato.events
    'change #contratos': (event, template) =>
        event.preventDefault()
        template.contrato.set(Contratos.findOne(event.currentTarget.value))
        args = ['contrato', 'ocupacion', 'inquilino', 'entidad', 'edificio'].map((i) -> template[i].get())
        template.texto.set(getContractText args)

getContractText = (params) ->
    [contrato, ocupacion, inquilino, entidad, edificio] = params
    if contrato
        nombre = contrato.nombre.replace(/ /g, '')
        templateId = Random.id()
        texto = contrato?.texto
            .replace(/(?:\r\n|\r|\n)/g, '<br>')
            .replace(/  /g, '&nbsp;&nbsp;')
        texto = processMarkup(texto)
        compiled = SpacebarsCompiler.compile(texto, { isTemplate: true })
        renderer = eval(compiled)
        UI.Template.__define__(templateId, renderer)
        data =
            ocupacion: ocupacion
            inquilino: inquilino
            entidad: entidad
            edificio: edificio

        propietario = Propietarios.findOne(Session.get('PropietarioID'))

        Template[templateId].helpers
            ocupacion: -> ocupacion
            contrato: () -> contrato
            dia: (fecha = new Date()) -> pad2Null(fecha?.getDate())
            mes: (fecha = new Date()) -> pad2Null(fecha?.getMonth() + 1)
            mesNombre: (fecha = new Date()) -> mesNobre(fecha?.getMonth())
            año: (fecha = new Date()) -> fecha?.getFullYear()
            nombrePropietario: () -> propietario?.nombreCompleto
            ...
        Blaze.toHTMLWithData Template[templateId], data # the result of this is the return value

#4

And that’s very good to be prevented from execution because this would open doors for an XSS attack too easily