Safe JavaScript Templating

Automatic Contextual XSS Escaping made robust, easy, and fast

Try our demo!

Is XSS defense too hard?

Cross Site Scripting (XSS) has topped the list of OWASP Top 10 Web Application Security Risks over a decade. We all know its consequence is terrible, allowing attackers to compromise a website and exfiltrate sensitive user information. But what makes it so hard to be eliminated from web applications?

Learn more...

Blindly-escaping is still vulnerable!

JavaScript Templating is prevalent in modern web development. Hence, an HTML template with placeholders (e.g., {{name}}) can be easily substituted with user inputs. In view of potentially malicious inputs, all values are by default piped through an HTML escaping filter to defend against XSS. But such a blindly-escaping approach is still vulnerable!

Learn more...


Escaping filters are applied according to the output context of every placeholder, at the right place and in a correct order. All automagically done by standard-compliant parsers written by us.


The solution has undergone series of manual code reviews, as well as unit and integration tests. The filters also stand against fuzzing tests under a vast majority of web browsers.


With as little as 2 lines of code changes, the express-secure-handlebars package is capable of applying contextual escaping filters, and even correct HTML parsing errors, all automatically!


Templates can be pre-processed completely offline to avoid any runtime contextual analysis. Filters escape just sufficiently to be secure, and are thus up to 2 times faster than the default one.