Missing escape of HTML entities in Handlebars template compilation

Overview

• Rule ID: javascript_lang_handlebars_no_escape

• Applicable Languages: Javascript

• Weakness ID: CWE-80

Description

In Handlebars (a templating engine for generating HTML markup), setting noEscape to true prevents HTML entities from being escaped in the output. This can create a security vulnerability, especially increasing the risk of Cross-Site Scripting (XSS) attacks if the content is sourced from untrusted inputs.

Remediation Guidelines

• Do set noEscape to false when compiling Handlebars templates to ensure HTML entities are properly escaped, thereby reducing the risk of XSS vulnerabilities.

  Copy

  Handlebars.compile(template, { noEscape: false });
  

References

Configuration