Insecure Handlebars Configuration
Description
The application is compiling strings with `Handlebars.compile` using an insecure option of `{noEscape: true}`, which bypasses the default behavior of Handlebars to escape input values and prevent Cross-Site Scripting (XSS) attacks.
Examples
Insecure Code
javascript
var template = "This is {{target}}"; var out = Handlebars.compile(template, {noEscape: true})({target: req.query.message}); res.send(out);Secure Code
javascript
var template = "This is {{target}}"; var out = Handlebars.compile(template)({target: req.query.message}); res.send(out);Remediation
Use `Handlebars.compile` with default settings or set `{noEscape: false}` to force encoding of input data.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0428 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-80 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Template Injection |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |