javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite
semgrepAuthor
3,426
Download Count*
License
The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'.
Run Locally
Run in CI
Defintion
rules:
- id: escape-function-overwrite
message: "The Mustache escape function is being overwritten. This could bypass
HTML escaping safety measures built into the rendering engine, exposing
your application to cross-site scripting (XSS) vulnerabilities. If you
need unescaped HTML, use the triple brace operator in your template: '{{{
... }}}'."
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://github.com/janl/mustache.js/#variables
category: security
technology:
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: WARNING
pattern-either:
- pattern: Mustache.escape = ...
- patterns:
- pattern-inside: |
$MUSTACHE = require("mustache");
...
- pattern: $MUSTACHE.escape = ...
Examples
escape-function-overwrite.js
// cf. https://github.com/janl/mustache.js/#include-templates
// e.g., browser code:
// ruleid: escape-function-overwrite
Mustache.escape = function(val) { return val; }
function renderHello() {
var template = document.getElementById('template').innerHTML;
var rendered = Mustache.render(template, { name: 'Luke' });
document.getElementById('target').innerHTML = rendered;
}
// e.g., Node.js code:
function node() {
const template = require("mustache");
// ruleid: escape-function-overwrite
template.escape = (t) => { return t; }
let html = template.render(blogItem, { });
}
function ok() {
// ok: escape-function-overwrite
const template = require("mustache");
let html = template.render(blogItem, { });
}
Short Link: https://sg.run/7oWe