Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Security vulnerability in handlebars javascript package

Description

The handlebars.js script is vulnerable to a cross site scripting (XSS) vulnerability, due to the fact that its escapeExpression class does not properly escape the equal (=) sign.

This only occurs when double curly braces {{}} are used (as opposed to triple, which does no escaping).  

This appears to be fixed in version 4.0.0 and above.

See https://github.con/wycats/handlebars.js/pull/1083

Environment

None

Activity

Show:

Dan Timoney July 15, 2020 at 11:01 AM

No longer reported in Nexus IQ scan

Done

Details

Assignee

Reporter

Labels

Components

Sprint

Fix versions

Affects versions

Priority

Parent

Created January 23, 2019 at 2:06 PM
Updated July 15, 2020 at 11:01 AM
Resolved July 15, 2020 at 11:01 AM