Add warning around securing locals to render

expressjs · Oct 3, 2023 · fcaca7f · fcaca7f
1 parent 5e918ea
commit fcaca7f
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 0 deletions.
diff --git a/_includes/api/en/4x/app-locals.md b/_includes/api/en/4x/app-locals.md
@@ -3,6 +3,14 @@
 The `app.locals` object has properties that are local variables within the application,
 and will be available in templates rendered with [res.render](#res.render).
 
+<div class="doc-box doc-warn" markdown="1">
+The `locals` object is used by view engines to render a response. The object
+keys may be particularly sensitive and should not contain user-controlled
+input, as it may affect the operation of the view engine or provide a path to
+cross-site scripting. Consult the documentation for the used view engine for
+additional considerations.
+</div>
+
 ```js
 console.dir(app.locals.title)
 // => 'My App'

diff --git a/_includes/api/en/4x/app-render.md b/_includes/api/en/4x/app-render.md
@@ -15,6 +15,14 @@ disk and evaluating Node.js modules, and as so for security reasons should not
 contain input from the end-user.
 </div>
 
+<div class="doc-box doc-warn" markdown="1">
+The `locals` object is used by view engines to render a response. The object
+keys may be particularly sensitive and should not contain user-controlled
+input, as it may affect the operation of the view engine or provide a path to
+cross-site scripting. Consult the documentation for the used view engine for
+additional considerations.
+</div>
+
 <div class="doc-box doc-notice" markdown="1">
 The local variable `cache` is reserved for enabling view cache. Set it to `true`, if you want to
 cache view during development; view caching is enabled in production by default.

diff --git a/_includes/api/en/4x/res-locals.md b/_includes/api/en/4x/res-locals.md
@@ -4,6 +4,14 @@ Use this property to set variables accessible in templates rendered with [res.re
 The variables set on `res.locals` are available within a single request-response cycle, and will not
 be shared between requests.
 
+<div class="doc-box doc-warn" markdown="1">
+The `locals` object is used by view engines to render a response. The object
+keys may be particularly sensitive and should not contain user-controlled
+input, as it may affect the operation of the view engine or provide a path to
+cross-site scripting. Consult the documentation for the used view engine for
+additional considerations.
+</div>
+
 In order to keep local variables for use in template rendering between requests, use
 [app.locals](#app.locals) instead.
 

diff --git a/_includes/api/en/4x/res-render.md b/_includes/api/en/4x/res-render.md
@@ -16,6 +16,14 @@ disk and evaluating Node.js modules, and as so for security reasons should not
 contain input from the end-user.
 </div>
 
+<div class="doc-box doc-warn" markdown="1">
+The `locals` object is used by view engines to render a response. The object
+keys may be particularly sensitive and should not contain user-controlled
+input, as it may affect the operation of the view engine or provide a path to
+cross-site scripting. Consult the documentation for the used view engine for
+additional considerations.
+</div>
+
 <div class="doc-box doc-notice" markdown="1">
 The local variable `cache` enables view caching. Set it to `true`,
 to cache the view during development; view caching is enabled in production by default.