Ember.js Potential XSS Exploit With User-Supplied Data When Using {{group}} Helper


2018-03-13 17:35
2018-02-16 00:35
2017-04-01 19:10
2017-01-05 20:15


In general, Ember.js escapes or strips any user-supplied content before
inserting it in strings that will be sent to innerHTML. However, we have
identified a vulnerability that could lead to unescaped content being inserted
into the innerHTML string without being sanitized.

When using the `{{group}}` helper, user supplied content in the template was not
being sanitized. Though the vulnerability exists in Ember.js proper, it is only
exposed via the use of an experimental plugin.

In applications that use the `{{group}}` helper, a specially-crafted payload
could execute arbitrary JavaScript in the context of the current domain

This vulnerability only affects applications that use the `{{group}}` helper
to display user-provided content.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
ember-source ~> 1.0.1,~> 1.1.3,~> 1.2.1,~> 1.3.1,>= 1.4.0.beta.2 None