Missing escape of HTML entities in Handlebars template compilation
PreviousMissing Access Restriction on Directory ListingNextMissing Helmet configuration on HTTP headers
Last updated
Last updated
Rule ID: javascript_lang_handlebars_no_escape
Applicable Languages: Javascript
Weakness ID: CWE-80
In Handlebars (a templating engine for generating HTML markup), setting noEscape
to true prevents HTML entities from being escaped in the output. This can create a security vulnerability, especially increasing the risk of Cross-Site Scripting (XSS) attacks if the content is sourced from untrusted inputs.
Do set noEscape to false when compiling Handlebars templates to ensure HTML entities are properly escaped, thereby reducing the risk of XSS vulnerabilities.
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our