Ember.js Potential XSS Exploit With User-Supplied Data When Binding Primitive Values


2018-03-13 17:35
2018-02-16 00:35
2017-04-01 19:10
2017-01-05 20:15


In general, Ember.js escapes or strips any user-supplied content before
inserting it in strings that will be sent to innerHTML. However, we have
identified a vulnerability that could lead to unescaped content being inserted
into the innerHTML string without being sanitized.

When a primitive value is used as the Handlebars context, that value is not
properly escaped. An example of this would be using the `{{each}}` helper to
iterate over an array of user-supplied strings and using `{{this}}` inside the
block to display each string.

In applications that contain templates whose context is a primitive value and
use the `{{this}}` keyword to display that value, a specially-crafted payload
could execute arbitrary JavaScript in the context of the current domain

This vulnerability affects applications that contain templates whose context is
set to a user-supplied primitive value (such as a string or number) and also
contain the `{{this}}` special Handlebars variable to display the value.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
ember-source ~> 1.0.1,~> 1.1.3,~> 1.2.1,~> 1.3.1,>= 1.4.0.beta.2 None