handlebars provides the power necessary to let you build semantic templates.
When using attributes without quotes in a handlebars template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the handlebars template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.
These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like
' are not escaped properly.
There are a few types of XSS:
- Persistent XSS is an attack in which the malicious code persists into the web app’s database.
- Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
Assume handlebars was used to display user comments and avatar, using the following template:
If an attacker spoofed their avatar URL and provided the following value:
The resulting HTML would be the following, triggering the script once the image loads:
<img src=http://evil.org/avatar.png onload=alert(document.cookie)><pre>Gotcha!</pre>
Snyk patch available for versions:
- <4.0.0 >=3.0.2