Template engines, such as Mustache or Handlebars, provide automatic escaping of template variables to prevent cross-site scripting (XSS) attacks, but this protection can be explicitly disabled.

Why is this an issue?

Template engines provide auto-escaping as a safety mechanism that transforms HTML special characters in variable output before rendering, preventing user-controlled input from being interpreted as HTML or JavaScript by the browser. Disabling this protection — through settings like autoescape: false, escape-bypass filters like |safe, or equivalent configuration — allows untrusted input to pass through unmodified and be executed by the browser as markup or script.

What is the potential impact?

When auto-escaping is disabled, an attacker who can control the content of template variables can inject malicious HTML or JavaScript into pages served to other users. An attacker could steal session tokens, redirect users to phishing pages, or perform unauthorized actions on behalf of the victim.

How to fix it in Mustache.js

Code examples

The following examples configure the template engine to disable its auto-escaping feature, allowing template variables to be rendered without HTML encoding.

Noncompliant code example

let Mustache = require("mustache");

Mustache.escape = function(text) {return text;}; // Noncompliant

let rendered = Mustache.render(template, { name: inputName });

Compliant solution

let Mustache = require("mustache");

let rendered = Mustache.render(template, { name: inputName }); // Compliant autoescaping is on by default

How to fix it in Handlebars.js

Code examples

The following examples configure the template engine to disable its auto-escaping feature, allowing template variables to be rendered without HTML encoding.

Noncompliant code example

const Handlebars = require('handlebars');

let source = "<p>attack {{name}}</p>";

let template = Handlebars.compile(source, { noEscape: true }); // Noncompliant

Compliant solution

const Handlebars = require('handlebars');

let source = "<p>attack {{name}}</p>";
let data = { "name": "<b>Alan</b>" };

let template = Handlebars.compile(source); // Compliant by default noEscape is set to false

How to fix it in markdown-it

Code examples

The following examples configure the template engine to disable its auto-escaping feature, allowing template variables to be rendered without HTML encoding.

Noncompliant code example

const markdownIt = require('markdown-it');
let md = markdownIt({
  html: true // Noncompliant
});

let result = md.render('# <b>attack</b>');

Compliant solution

let md = require('markdown-it')(); // Compliant by default html is set to false

let result = md.render('# <b>attack</b>');

How to fix it in marked

Code examples

The following examples configure the template engine to disable its auto-escaping feature, allowing template variables to be rendered without HTML encoding.

Noncompliant code example

const marked = require('marked');

marked.setOptions({
  renderer: new marked.Renderer(),
  sanitize: false // Noncompliant
});

Compliant solution

const marked = require('marked');

marked.setOptions({
  renderer: new marked.Renderer()
}); // Compliant by default sanitize is set to true

How to fix it in kramed

Code examples

The following examples configure the template engine to disable its auto-escaping feature, allowing template variables to be rendered without HTML encoding.

Noncompliant code example

let kramed = require('kramed');

let options = {
  renderer: new kramed.Renderer({
    sanitize: false // Noncompliant
  })
};

Compliant solution

let kramed = require('kramed');

let options = {
  renderer: new kramed.Renderer({
    sanitize: true // Compliant
  })
};

Resources

Documentation

• OWASP Cheat Sheet - XSS Prevention Cheat Sheet

Standards

• CWE - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• OWASP - Top 10 2021 Category A3 - Injection
• OWASP - Top 10 2017 Category A7 - Cross-Site Scripting (XSS)