javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape

Community Favorite
profile photo of semgrepsemgrep
Author
33,552
Download Count*
LGPL Commons Clause
License

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detect-disable-mustache-escape
    message: Markup escaping disabled. This can be used with some template engines
      to escape disabling of HTML entities, which can lead to XSS attacks.
    metadata:
      cwe:
        - "CWE-116: Improper Encoding or Escaping of Output"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js
      category: security
      technology:
        - mustache
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Encoding
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern: $OBJ.escapeMarkup = false

Examples

detect-disable-mustache-escape.js

// ruleid:detect-disable-mustache-escape
a.escapeMarkup = false;

// ok:detect-disable-mustache-escape
escapeMarkup = false;