diff --git a/javascript/express/security/audit/xss/mustache/var-in-href.mustache b/javascript/express/security/audit/xss/mustache/var-in-href.mustache
deleted file mode 100644
index b47e8200f0..0000000000
--- a/javascript/express/security/audit/xss/mustache/var-in-href.mustache
+++ /dev/null
@@ -1,62 +0,0 @@
-<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
-<!DOCTYPE HTML>
-<html>
-
-<head>
-    <title>Demo Mustache.JS</title>
-    <meta charset="utf-8">
-    <link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
-    <script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
-    <script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
-    <script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
-    <script type="text/javascript" src="demo-mustache.js"></script>
-</head>
-
-<body onload="carregarDemo();">
-    <div class="content">
-        <div id="mustache-header"></div>
-        <div id="mustache-cards"></div>
-    </div>
-
-    <!-- ok: var-in-href -->
-    <p class="navbar-text navbar-right">Singed in as: <a href=/profile>{{ val }}</a></p>
-</body>
-
-<script id="template-header" type="x-tmpl-mustache">
-    <div class="jumbotron text-center">
-        <h1 class="display-4">Oi, meu nome é {{autor.nome}} {{autor.sobrenome}}!</h1>
-        <p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
-        <!-- ruleid: var-in-href -->
-        <a href="{{ link }}" class="text-center">Click me</a>
-        <!-- ok: var-in-href -->
-        <a href="/{{ link }}" class="text-center">Click me</a>
-    </div>
-</script>
-
-<script id="template-cards" type="x-tmpl-mustache">
-    <div class="text-center">
-        <h2>Apresentando o time da <b>{{time.nome}}</b></h2>
-        <h6>Predio {{time.predio}}</h6>
-    </div>
-    {{#time}}
-    <div class="container" style="margin-top: 30px;">
-        <div class="row">
-            {{#squads}}
-            <div class="col-sm-6">
-                <div class="card">
-                    <div class="card-header text-center">
-                        <b>{{nome}}</b>
-                    </div>
-                    <div class="card-body">
-                        {{! Partial de tabela de membros do Squad }}
-                        {{> template-table}}
-                    </div>
-                </div>
-            </div>
-            {{/squads}}
-        </div>
-    </div>
-    {{/time}}
-</script>
-
-</html>
diff --git a/javascript/express/security/audit/xss/mustache/var-in-href.yaml b/javascript/express/security/audit/xss/mustache/var-in-href.yaml
deleted file mode 100644
index 6f6148dca9..0000000000
--- a/javascript/express/security/audit/xss/mustache/var-in-href.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-rules:
-- id: var-in-href
-  message: >-
-    Detected a template variable used in an anchor tag with
-    the 'href' attribute. This allows a malicious actor to
-    input the 'javascript:' URI and is subject to cross-
-    site scripting (XSS) attacks. If using a relative URL,
-    start with a literal forward slash and concatenate the URL,
-    like this: href='/{{link}}'. You may also consider setting
-    the Content Security Policy (CSP) header.
-  metadata:
-    cwe:
-    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-    owasp:
-    - A07:2017 - Cross-Site Scripting (XSS)
-    - A03:2021 - Injection
-    references:
-    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI
-    - https://github.com/pugjs/pug/issues/2952
-    category: security
-    technology:
-    - express
-    cwe2022-top25: true
-    cwe2021-top25: true
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: MEDIUM
-    confidence: LOW
-  languages:
-  - regex
-  severity: WARNING
-  paths:
-    include:
-    - '*.mustache'
-    - '*.hbs'
-    - '*.html'
-  pattern-regex: <a.*href\s*=(\s|['"])*?{{.*?}}.*
diff --git a/python/django/security/audit/xss/template-href-var.html b/python/django/security/audit/xss/template-href-var.html
deleted file mode 100644
index 8fdbfc3bec..0000000000
--- a/python/django/security/audit/xss/template-href-var.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<h4>From: {{ from_email }}</h4>
-<h4>To:
-    {% for recipient in recipients %}
-    {{ recipient }}&nbsp;
-    {% endfor %}
-</h4>
-<h4>Subject: {{subject}}</h4>
-<div class="email" style="display: block;">
-    {{ message }}
-</div>
-<div class="email-text" style="display: none;">
-    <pre>{{ body }}</pre>
-    <!-- ruleid: template-href-var -->
-    <a href='{{ link }}'>{{ link_text }}</a>
-    <!-- ruleid: template-href-var -->
-    <a href =  '{{ link }}' >{{ link_text }}</a>
-    <!-- ok: template-href-var -->
-    <a href="{% url 'login' %}">{{ link_text }}</a>
-    <!-- ok: template-href-var -->
-    <a href="https://example.com/">{{ link_text }}</a>
-</div>
-<hr>
diff --git a/python/django/security/audit/xss/template-href-var.yaml b/python/django/security/audit/xss/template-href-var.yaml
deleted file mode 100644
index 5069f3952d..0000000000
--- a/python/django/security/audit/xss/template-href-var.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-rules:
-- id: template-href-var
-  message: >-
-    Detected a template variable used in an anchor tag with
-    the 'href' attribute. This allows a malicious actor to
-    input the 'javascript:' URI and is subject to cross-
-    site scripting (XSS) attacks. Use the 'url' template tag
-    to safely generate a URL. You may also consider setting
-    the Content Security Policy (CSP) header.
-  metadata:
-    cwe:
-    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-    owasp:
-    - A07:2017 - Cross-Site Scripting (XSS)
-    - A03:2021 - Injection
-    references:
-    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
-    - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url
-    - https://content-security-policy.com/
-    category: security
-    technology:
-    - django
-    cwe2022-top25: true
-    cwe2021-top25: true
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: MEDIUM  
-    confidence: LOW
-  languages:
-  - generic
-  paths:
-    include:
-    - '*.html'
-  severity: WARNING
-  patterns:
-  - pattern-inside: <a ...>
-  - pattern-either:
-    - pattern: href = '{{...}}'
-    - pattern: href = "{{...}}"
-    - pattern: href = {{...}}
diff --git a/python/django/security/audit/xss/var-in-script-tag.html b/python/django/security/audit/xss/var-in-script-tag.html
deleted file mode 100644
index 8bfb72f8d5..0000000000
--- a/python/django/security/audit/xss/var-in-script-tag.html
+++ /dev/null
@@ -1,21 +0,0 @@
-<!DOCTYPE html>
-<html>
-    <head></head>
-    <body>
-        <script>
-            // ruleid: var-in-script-tag
-            const mydata = {{ mydata_json|safe }};
-            // ruleid: var-in-script-tag
-            const moredata = {{ mydata_json }};
-        </script>
-        <div>
-            <!-- ok: var-in-script-tag -->
-            <p>{{ this_is_fine }}</p>
-        </div>
-
-        <!-- ok: var-in-script-tag -->
-        <script nonce="{{ request.csp_nonce }}">
-            console.log('inline script running');
-        </script>
-    </body>
-</html>
diff --git a/python/django/security/audit/xss/var-in-script-tag.yaml b/python/django/security/audit/xss/var-in-script-tag.yaml
deleted file mode 100644
index a56724ba50..0000000000
--- a/python/django/security/audit/xss/var-in-script-tag.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-rules:
-- id: var-in-script-tag
-  languages: [generic]
-  severity: ERROR
-  message: >-
-    Detected a template variable used in a script tag.
-    Although template variables are HTML escaped, HTML
-    escaping does not always prevent cross-site scripting (XSS)
-    attacks when used directly in JavaScript. If you need this
-    data on the rendered page, consider placing it in the HTML
-    portion (outside of a script tag). Alternatively, use a
-    JavaScript-specific encoder, such as the one available
-    in OWASP ESAPI. For Django, you may also consider using
-    the 'json_script' template tag and retrieving the data in
-    your script by using the element ID (e.g., `document.getElementById`).
-  patterns:
-  - pattern-inside: <script ...> ... </script>
-  - pattern: '{{ ... }}'
-  - pattern-not-inside: nonce = '...'
-  - pattern-not-inside: nonce = "..."
-  paths:
-    include:
-    - '*.html'
-  metadata:
-    cwe:
-    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-    owasp:
-    - A07:2017 - Cross-Site Scripting (XSS)
-    - A03:2021 - Injection
-    references:
-    - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A
-    - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough
-    - https://github.com/ESAPI/owasp-esapi-js
-    category: security
-    technology:
-    - django
-    cwe2022-top25: true
-    cwe2021-top25: true
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: MEDIUM
-    confidence: LOW
diff --git a/python/flask/security/xss/audit/template-href-var.html b/python/flask/security/xss/audit/template-href-var.html
deleted file mode 100644
index 34adbcf891..0000000000
--- a/python/flask/security/xss/audit/template-href-var.html
+++ /dev/null
@@ -1,32 +0,0 @@
-<h4>From: {{ from_email }}</h4>
-<h4>To:
-    {% for recipient in recipients %}
-    {{ recipient }}&nbsp;
-    {% endfor %}
-</h4>
-<h4>Subject: {{subject}}</h4>
-<div class="email" style="display: block;">
-    {{ message }}
-</div>
-<div class="email-text" style="display: none;">
-    <pre>{{ body }}</pre>
-    <!-- ruleid: template-href-var -->
-    <a href='{{ link }}'>{{ link_text }}</a>
-    <!-- ruleid: template-href-var -->
-    <a href = '{{ link }}' >{{ link_text }}</a>
-    <!-- ruleid: template-href-var -->
-    <a href = "{{ link }}" >{{ link_text }}</a>
-    <a
-        // ruleid: template-href-var
-        href = "{{ link }}"
-    >
-        {{ link_text }}
-    </a>
-    <!-- ok: template-href-var -->
-    <a href="{{ url_for('index') }}">{{ link_text }}</a>
-    <!-- ok: template-href-var -->
-    <a href="https://example.com/">{{ link_text }}</a>
-    <!-- ok: template-href-var -->
-    <a href="https://example.com/{{ link_path }}">{{ link_text }}</a>
-</div>
-<hr>
diff --git a/python/flask/security/xss/audit/template-href-var.yaml b/python/flask/security/xss/audit/template-href-var.yaml
deleted file mode 100644
index d8d625198f..0000000000
--- a/python/flask/security/xss/audit/template-href-var.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-rules:
-- id: template-href-var
-  message: >-
-    Detected a template variable used in an anchor tag with
-    the 'href' attribute. This allows a malicious actor to
-    input the 'javascript:' URI and is subject to cross-
-    site scripting (XSS) attacks. Use 'url_for()' to safely
-    generate a URL. You may also consider setting the Content
-    Security Policy (CSP) header.
-  metadata:
-    cwe:
-    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-    owasp:
-    - A07:2017 - Cross-Site Scripting (XSS)
-    - A03:2021 - Injection
-    references:
-    - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
-    - https://content-security-policy.com/
-    category: security
-    technology:
-    - flask
-    cwe2022-top25: true
-    cwe2021-top25: true
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: MEDIUM
-    confidence: LOW
-  languages:
-  - generic
-  paths:
-    include:
-    - '*.html'
-  severity: WARNING
-  patterns:
-  - pattern-inside: <a ...>
-  - pattern-either:
-    - pattern: href = {{ ... }}
-    - pattern: href = "{{ ... }}"
-    - pattern: href = '{{ ... }}'
-  - pattern-not-inside: href = {{ url_for(...) ... }}
-  - pattern-not-inside: href = "{{ url_for(...) ... }}"
-  - pattern-not-inside: href = '{{ url_for(...) ... }}'