handlebars.js - quoteless attributes in templates can lead to XSS

Metadata

unknown
unknown
handlebars-source
blog.srcclr.com
2015-08-24
2017-04-01 19:11
2017-01-05 20:15

Description

The upstream 'handlebars' node.js module was found to not properly escape
equals (=) signs, leading to possible content injection via attributes
in templates.

Example:
* Template:
* Input: { 'foo' : 'test.com onload=alert(1)'}
* Rendered result:

Affected package information

Package Patched in Unaffected in
handlebars-source >= 4.0.0 None