From 337d0be28da0fffccc24720be87fb390d672ced5 Mon Sep 17 00:00:00 2001
From: sebasrevuelta <122784773+sebasrevuelta@users.noreply.github.com>
Date: Wed, 23 Oct 2024 19:31:03 +0200
Subject: [PATCH] Update xss_templates.yaml (#120)

* Update xss_templates.yaml

Update description for rule handlebars_safestring

* Update xss_templates.yaml
---
 njsscan/rules/semantic_grep/xss/xss_templates.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/njsscan/rules/semantic_grep/xss/xss_templates.yaml b/njsscan/rules/semantic_grep/xss/xss_templates.yaml
index 5c46c91..06c36ec 100644
--- a/njsscan/rules/semantic_grep/xss/xss_templates.yaml
+++ b/njsscan/rules/semantic_grep/xss/xss_templates.yaml
@@ -4,8 +4,7 @@ rules:
       - pattern: $X.SafeString(...)
       - pattern: new Handlebars.SafeString(...)
     message: >-
-      Handlebars SafeString will not escape the data passed through it.
-      Untrusted user input passing through SafeString can cause XSS.
+      When you use SafeString or triple curly braces ({{{ }}}), Handlebars does not escape the content, allowing raw HTML to be rendered in the browser. This is useful if you want to insert valid HTML content into your template, like bold text (<strong>) or links (<a>), but it becomes dangerous if you are dealing with untrusted or user-generated content, as it can cause a Cross-site scripting attack (XSS). You should only use SafeString when the content is trusted. For example, if the content is generated by the server and does not come from user input or an untrusted source. If you are dealing with user-generated content, make sure to sanitize it to remove any malicious scripts before marking it as "safe".
     languages:
       - javascript
     severity: ERROR