@justinbmeyer justinbmeyer released this Oct 4, 2018 · 62 commits to master since this release

Assets 2

There's a reflective xss exploit possible when the programmer makes a programming error. If a template value is initialized as null, and then changed into a string containing some exploited string, the string is rendered as a html snippet instead of text.

For example:

var map = new SimpleMap({
     foo: null
});
var frag = stache("<div>{{foo}}</div>")(map);
map.set("foo", "<p></p>");

frag //-> "<div><p></p></div>"

PR: #601