contrib.nodejsscan.xss_templates.handlebars_noescape

returntocorp

Author

Download Count*

GPLv3

License

Disabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilities.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: handlebars_noescape
    patterns:
      - pattern: |
          $X.compile(..., {noEscape: true}, ...)
    message: Disabling Escaping in Handlebars is not a secure behaviour. This can
      introduce XSS vulnerabilities.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A01:2017 - Injection
      cwe: "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page
        (Basic XSS)"
      category: security
      technology:
        - node.js
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

xss_templates.js

function name() {
    var x = '<h1>hell0</h1>'
    // ruleid:handlebars_safestring
    var y = new Handlebars.SafeString(x);
    // ruleid:handlebars_safestring
    return new Handlebars.SafeString('<img src="" onload=alert(0)>');
}

function test2() {
    var x = 'foooo'
    var z = new Handlebars;
    // ruleid:handlebars_safestring
    var xx = z.SafeString(x)
    return xx;
}


// ruleid:handlebars_noescape
var template = Handlebars.compile(source, { noEscape: true });
var template = "This is {{target}}";
var target = "user's pictures";
// ruleid:handlebars_noescape
var result = Handlerbars.compile(template, { noEscape: true })({ target: target });
// ruleid:squirrelly_autoescape
Sqrl.autoEscaping(false)

Short Link: https://sg.run/x1bl