Block Potential XSS #1
Description
Due to the eval-like nature of this module, it's possible for externally fetched templates to introduce cross-site-scripting exploits.
To fix this, check the domain of the fetch URL against the site domain. Throw if they don't match. Alternatively, add a param called safe (default true) that -- when set to false -- will allow loading templates from other domains.
Changes
- add throw if domain-other-than-origin
- add 'safe' param to circumvent the check when set to false