In my index.ejs I have this code:
var current_user = <%= user %>
In my node I have
app.get(\"/\", function(req, res){
Oh that was easy, don't use <%=
, use <%-
instead. For example:
<%- JSON.stringify(user) %>
The first one will render in HTML, the second one will render variables (as they are, eval)
Attention!
If the user can be created through API calls, <%- would leave you with serious XSS vulnerability. Possible solutions can be found here:
Pass variables to JavaScript in ExpressJS
if like me your object can include an escaped character such as /
or "
then use this more robust solution
var current_user = <%- JSON.stringify(user).replace(/\\/g, '\\\\') %>