Missing escape of HTML entities in Handlebars template compilation

Overview

Rule ID: javascript_lang_handlebars_no_escape
Applicable Languages: Javascript
Weakness ID: CWE-80

Description

In Handlebars (a templating engine for generating HTML markup), setting noEscape to true prevents HTML entities from being escaped in the output. This can create a security vulnerability, especially increasing the risk of Cross-Site Scripting (XSS) attacks if the content is sourced from untrusted inputs.

Remediation Guidelines

Do set noEscape to false when compiling Handlebars templates to ensure HTML entities are properly escaped, thereby reducing the risk of XSS vulnerabilities.
```
Handlebars.compile(template, { noEscape: false });
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing Access Restriction on Directory Listing NextMissing Helmet configuration on HTTP headers

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration