-
Bug
-
Resolution: Done
-
Medium
-
Dublin Release
-
SDNC Dublin Spr 3 3/11 - 3/29, SDNC Fr Sp2:11/23-12/13
The handlebars.js script is vulnerable to a cross site scripting (XSS) vulnerability, due to the fact that its escapeExpression class does not properly escape the equal (=) sign.
This only occurs when double curly braces {{}} are used (as opposed to triple, which does no escaping).
This appears to be fixed in version 4.0.0 and above.