Just reached the next milestone on the road towards Sails v1: As of today, you can add a line of code to your HTML to directly expose data from your server-side view locals to client-side JavaScript, with built-in XSS attack prevention. This eliminates the need to hand-roll your own decoding/encoding (or worse, forget). And it means you don’t need to send a bunch of extra AJAX requests to safely get the data you need onto the web page. (For more background on the use case, check out this 2012 post from Dan Webb, Twitter’s former engineering manager: https://blog.twitter.com/2012/improving-performance-on-twittercom)
The new injector in Sails works by injecting a script tag into the raw HTML source, and stuffing the escaped version of your data (with all unsafe HTML characters encoded) inside. Then, by default, it also injects a pre-minified client-side unescape function (compatible with IE9 and up) that deals with de-scrambling HTML entities back into the unsafe characters from whence they came. For more info, check out the official Sails.js roadmap and the relevant proposal PR. Or, to take it for a spin, check out https://github.com/mikermcneil/expose-locals-to-browser-xss-test-app
