Cross-site Scripting (XSS) Affecting handlebars package, versions [,4.0.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DOTNET-HANDLEBARS-60167
- published14 Dec 2015
- disclosed14 Dec 2015
- creditMatias P. Brutti
Introduced: 14 Dec 2015
CVE NOT AVAILABLE CWE-79 (opens in a new tab)Overview
When using attributes without quotes in a handlebars template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the handlebars template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.
Example:
Assume handlebars was used to display user comments and avatar, using the following template:
<img src={{avatarUrl}}><pre>{{comment}}</pre>
If an attacker spoofed their avatar URL and provided the following value:
http://evil.org/avatar.png onload=alert(document.cookie)
The resulting HTML would be the following, triggering the script once the image loads:
<img src=http://evil.org/avatar.png onload=alert(document.cookie)><pre>Gotcha!</pre>
Details
<>