Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

Upload first batch of vulns #5

Merged
merged 1 commit into from
Oct 23, 2018
Merged

Upload first batch of vulns #5

merged 1 commit into from
Oct 23, 2018

Conversation

vdeturckheim
Copy link
Member

No description provided.

@vdeturckheim vdeturckheim self-assigned this Oct 23, 2018
@vdeturckheim vdeturckheim merged commit 03aa643 into master Oct 23, 2018
@vdeturckheim vdeturckheim deleted the upload_vulns branch October 23, 2018 11:14
@infolock
Copy link

infolock commented Mar 19, 2019
edited
Loading

@vdeturckheim

#5 is not a Handlebars vulnerability and has incorrectly been labeled as such. This is a vulnerability implemented by developers applying values to attributes without wrapping those values with quotes.

While the quotes are optional, omitting them actually introduces a possible XSS Vulnerability. This can be done with or without Handlebars. If handlebars is marked as being the vulnerability - then any library that allows a developer to pass in HTML to its methods are also culprits of introducing this vulnerability...

More information has been provided here: handlebars-lang/handlebars.js#1514 (comment)

@vdeturckheim
Copy link
Member Author

@infolock I am not sure which document you are refering too, can you open an issue with a link to the json file in this repo?

Thanks a lot for this heads up!

@infolock
Copy link

sure thing, thanks!

@infolock infolock mentioned this pull request Mar 19, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@vdeturckheim vdeturckheim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vdeturckheim @infolock