Skip to content

Cross-Site Scripting in handlebars

moderate severity GitHub Reviewed Published Oct 23, 2018 • Updated Sep 8, 2021

Package

npm handlebars (npm)

Affected versions

< 4.0.0

Patched versions

4.0.0

Description

Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.

Proof of Concept

Template:
<a href={{foo}}/>

Input:
{ 'foo' : 'test.com onload=alert(1)'}

Rendered result:
<a href=test.com onload=alert(1)/>

Recommendation

Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.

References

CVE ID

CVE-2015-8861

CVSS Score

6.1 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N