Missing escape of HTML entities in Handlebars template compilation

Overview

• Rule ID: javascript_lang_handlebars_no_escape

• Applicable Languages: Javascript

• Weakness ID: CWE-80

Description

In Handlebars (a templating engine for generating HTML markup), setting noEscape to true prevents HTML entities from being escaped in the output. This can create a security vulnerability, especially increasing the risk of Cross-Site Scripting (XSS) attacks if the content is sourced from untrusted inputs.

Remediation Guidelines

• Do set noEscape to false when compiling Handlebars templates to ensure HTML entities are properly escaped, thereby reducing the risk of XSS vulnerabilities.

  Copy

  Handlebars.compile(template, { noEscape: false });
  

References

• Handlebars compile docs

• OWASP XSS Prevention Cheat Sheet

• CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL