bindings... allowing unescaped urls, but not html tags

packages/client/src/api/workflow/index.js

@@ -1,4 +1,4 @@
-import mustache from "mustache"
+import renderTemplateString from "../../state/renderTemplateString"
 import appStore from "../../state/store"
 import Orchestrator from "./orchestrator"
 import clientActions from "./actions"
@@ -17,7 +17,7 @@ export const clientStrategy = ({ api }) => ({
       if (typeof argValue !== "string") continue
 
       // Render the string with values from the workflow context and state
-      mappedArgs[arg] = mustache.render(argValue, {
+      mappedArgs[arg] = renderTemplateString(argValue, {
         context: this.context,
         state: appStore.get(),
       })

packages/client/src/render/prepareRenderComponent.js

@@ -1,4 +1,4 @@
-import mustache from "mustache"
+import renderTemplateString from "../state/renderTemplateString"
 import appStore from "../state/store"
 import hasBinding from "../state/hasBinding"
 
@@ -46,7 +46,7 @@ export const prepareRenderComponent = ({
           const toSet = {}
           for (let prop of storeBoundProps) {
             const propValue = initialProps._bb.props[prop]
-            toSet[prop] = mustache.render(propValue, state)
+            toSet[prop] = renderTemplateString(propValue, state)
           }
           thisNode.component.$set(toSet)
         }

packages/client/src/state/renderTemplateString.js

@@ -0,0 +1,17 @@
+import mustache from "mustache"
+
+// this is a much more liberal version of mustache's escape function
+// ...just ignoring < and > to prevent tags from user input
+// original version here https://github.com/janl/mustache.js/blob/4b7908f5c9fec469a11cfaed2f2bed23c84e1c5c/mustache.js#L78
+
+const entityMap = {
+  "<": "&lt;",
+  ">": "&gt;",
+}
+
+mustache.escape = text =>
+  String(text).replace(/[&<>"'`=/]/g, function fromEntityMap(s) {
+    return entityMap[s]
+  })
+
+export default mustache.render

packages/client/src/state/stateManager.js

@@ -4,7 +4,7 @@ import {
   EVENT_TYPE_MEMBER_NAME,
 } from "./eventHandlers"
 import { bbFactory } from "./bbComponentApi"
-import mustache from "mustache"
+import renderTemplateString from "./renderTemplateString"
 import appStore from "./store"
 import hasBinding from "./hasBinding"
 
@@ -64,7 +64,7 @@ const _setup = ({ handlerTypes, getCurrentState, bb }) => node => {
 
     if (isBound) {
       const state = appStore.getState(node.contextStoreKey)
-      initialProps[propName] = mustache.render(propValue, state)
+      initialProps[propName] = renderTemplateString(propValue, state)
 
       if (!node.stateBound) {
         node.stateBound = true
@@ -83,7 +83,8 @@ const _setup = ({ handlerTypes, getCurrentState, bb }) => node => {
         const resolvedParams = {}
         for (let paramName in handlerInfo.parameters) {
           const paramValue = handlerInfo.parameters[paramName]
-          resolvedParams[paramName] = () => mustache.render(paramValue, state)
+          resolvedParams[paramName] = () =>
+            renderTemplateString(paramValue, state)
         }
 
         handlerInfo.parameters = resolvedParams