Update xss_templates.yaml (#120)

* Update xss_templates.yaml Update description for rule handlebars_safestring * Update xss_templates.yaml
ajinabraham · Oct 23, 2024 · 337d0be · 337d0be
1 parent d231083
commit 337d0be
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/njsscan/rules/semantic_grep/xss/xss_templates.yaml b/njsscan/rules/semantic_grep/xss/xss_templates.yaml
@@ -4,8 +4,7 @@ rules:
       - pattern: $X.SafeString(...)
       - pattern: new Handlebars.SafeString(...)
     message: >-
-      Handlebars SafeString will not escape the data passed through it.
-      Untrusted user input passing through SafeString can cause XSS.
+      When you use SafeString or triple curly braces ({{{ }}}), Handlebars does not escape the content, allowing raw HTML to be rendered in the browser. This is useful if you want to insert valid HTML content into your template, like bold text (<strong>) or links (<a>), but it becomes dangerous if you are dealing with untrusted or user-generated content, as it can cause a Cross-site scripting attack (XSS). You should only use SafeString when the content is trusted. For example, if the content is generated by the server and does not come from user input or an untrusted source. If you are dealing with user-generated content, make sure to sanitize it to remove any malicious scripts before marking it as "safe".
     languages:
       - javascript
     severity: ERROR