contrib.nodejsscan.xss_mustache_escape.xss_disable_mustache_escape

profile photo of returntocorpreturntocorp
Author
99
Download Count*
License

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

Run Locally

Run in CI

Defintion

rules:
  - id: xss_disable_mustache_escape
    pattern: $OBJ.escapeMarkup = false
    severity: WARNING
    languages:
      - javascript
    metadata:
      cwe: "CWE-116: Improper Encoding or Escaping of Output"
      owasp: A07:2017 - Cross-Site Scripting (XSS)
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Markup escaping disabled. This can be used with some template engines
      to escape disabling of HTML entities, which can lead to XSS attacks.