My api is escaping the unescaped user input I send it via ember-data. So when the data returned from the api is rendered, the text gets escaped twice resulting in html entities appearing in my text. What’s the proper way to handle this? Should the api not escape text and leave it up to Handlebars? Or is there a way to tell Ember that the text is already escaped?
Helpers are replaced by components but I do this in a helper:
https://github.com/broerse/ember-cli-blog/blob/master/app/helpers/format-markdown.js
IMHO The API should NOT escape text. It’s really the client’s job to ensure it doesn’t result in a XSS vulnerability. And it makes even less sense when you have alternate clients (mobile) consuming the API.
It’s not clear based your initial question if you were referring to WYSIWYG data or all text fields. If it’s the later, I would actually recommend you handle this at the ember-data level so that from the view/component/router/controller perspectives, the data is accurate (not-escaped).
The problem with escaped data is you often have to know explicitly it’s escaped/unescaped. You can’t always tell. So given that, I see one of two options. If ALL of your data is ALWAYS escaped, I would implement normalizeHash on the application serializer (JSONSerializer - 4.6 - Ember API Documentation). If only some of your fields are escaped, I would implement a custom transform (Transform - 4.6 - Ember API Documentation).