javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape
Community Favorite
semgrep
Author
33,552
Download Count*
License
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
Run Locally
Run in CI
Defintion
rules:
- id: detect-disable-mustache-escape
message: Markup escaping disabled. This can be used with some template engines
to escape disabling of HTML entities, which can lead to XSS attacks.
metadata:
cwe:
- "CWE-116: Improper Encoding or Escaping of Output"
owasp:
- A03:2021 - Injection
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js
category: security
technology:
- mustache
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Encoding
languages:
- javascript
- typescript
severity: WARNING
pattern: $OBJ.escapeMarkup = false
Examples
detect-disable-mustache-escape.js
// ruleid:detect-disable-mustache-escape
a.escapeMarkup = false;
// ok:detect-disable-mustache-escape
escapeMarkup = false;
Short Link: https://sg.run/Yvwd