You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some special characters should be HTML encoded, additionally to the ones that
are being escaped today. I've reviewed other Mustache libraries looking for
how did they handle this topic and whether they had any known vulnerability.
The most active one seems the JavaScript one
(https://github.com/janl/mustache.js). Looking into the Synk vulnerability
database, I've found https://security.snyk.io/vuln/npm:mustache:20151207
(CVE-2015-8862), which leads to XSS exploits and does affect Boost.Mustache,
too.
They also escape the forward slash (#x2f;). I haven't found a vulnerability
to point you too, but I guess that could be added as additional hardening,
if you like.
The text was updated successfully, but these errors were encountered:
Some special characters should be HTML encoded, additionally to the ones that
are being escaped today. I've reviewed other Mustache libraries looking for
how did they handle this topic and whether they had any known vulnerability.
The most active one seems the JavaScript one
(https://github.com/janl/mustache.js). Looking into the Synk vulnerability
database, I've found https://security.snyk.io/vuln/npm:mustache:20151207
(CVE-2015-8862), which leads to XSS exploits and does affect Boost.Mustache,
too.
Two exploits are possible:
of IE (https://html5sec.org/#59, Backtick is added to entityMap janl/mustache.js#388)
the equal sign can mitigate the risk of attribute injection. (IMHO attributes
without quotes make kittens die, but this is listed as a vulnerability).
The JavaScript library performs this replacement:
They also escape the forward slash (#x2f;). I haven't found a vulnerability
to point you too, but I guess that could be added as additional hardening,
if you like.
The text was updated successfully, but these errors were encountered: