Whitelisting internal links to load templates via ajax

Our app got rejected in review process done by “Coverity”. From the report we could see that its due to loading the internal template file via ajax


Sample code:

$.ajax({
url: './template-body.hbs',
type: 'GET'
}).then((results)=>{
var template = Handlebars.compile(results);
$('#widget-article-content').html(template(_data));
});

These template files will locate inside the “templates” folder of our package.

We are whitelisting our API URL for data fetch but we would like to know how can we whitelist internal URL “./.hbs”

Note: Previously our app got approved with the same changes but now due to the “Coverity” this issue we are facing.

Whitelist is only possible for hosts, not for a file path. One way to reimplement this would be to pass the template’s content as a string.

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.