Quoteless Attributes in Templates can lead to Content Injection

Module: handlebars

Published: December 14th, 2015

Reported by: Matias P. Brutti

CVE-2015-8861

CWE-

Vulnerable: <4.0.0
Patched: >=4.0.0

Overview

Not using quotes around your attributes in handlebar templates, could lead to content injection.

Example

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Remediation

If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo