mustache.js - quoteless attributes in templates can lead to XSS

Metadata

unknown
unknown
mustache-js-rails
blog.srcclr.com
2015-11-17
2017-04-01 19:11
2017-01-05 20:15

Description

The upstream 'mustache.js' node.js module was found to not properly escape
backtick (`) and equals (=) characters, leading to possible content injection
via attributes in templates.

Example:
* Template:
* Input: { 'foo' : 'test.com onload=alert(1)'}
* Rendered result:

Affected package information

Package Patched in Unaffected in
mustache-js-rails >= 2.0.3 None