# Missing escape of HTML entities in Handlebars template compilation

## Overview

* **Rule ID**: `javascript_lang_handlebars_no_escape`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-80

## Description

In Handlebars (a templating engine for generating HTML markup), setting `noEscape` to true prevents HTML entities from being escaped in the output. This can create a security vulnerability, especially increasing the risk of Cross-Site Scripting (XSS) attacks if the content is sourced from untrusted inputs.

## Remediation Guidelines

* **Do** set noEscape to false when compiling Handlebars templates to ensure HTML entities are properly escaped, thereby reducing the risk of XSS vulnerabilities.

  ```java
  Handlebars.compile(template, { noEscape: false });

  ```

## References

* [**Handlebars compile docs**](https://handlebarsjs.com/api-reference/compilation.html#handlebars-compile-template-options)
* [**OWASP XSS Prevention Cheat Sheet**](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
* [**CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)**](https://cwe.mitre.org/data/definitions/80.html)
* [**OWASP Top 10: A03:2021 - Injection**](https://owasp.org/Top10/A03_2021-Injection/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)