How to bind a javascript href and bypass XSS unsafe protection?



I need to bind a javascript payload to an <a href={{bookmarklet_url}}> element. The bookmarklet_url is generated through a computed property and is safe from user inputs.

Ember added protection against this type of XSS in 1.9.1 which add “unsafe:” to the href. We were able bypass the protection with {{unbound bookmarklet_url}}.

We’ve moved to Ember v1.11.0 beta’s and our workaround no longer works. How can I bypass the XSS protection?

Thanks, Andrew


Hi, In Ember 1.11.0 version the Ember team has introduced bound attribute syntax feature. So we don’t need to escape/bypass any of the inputs. Ember does this for you by default.

For better understanding please refer to: