Mustache XSS-proof?

Question

Mustache XSS-proof?

I thought about the XSS vulnerability for my application. On the server side, I do not sanitize input or output, so

<script>alert(document.cookies)</script>

stored in the database just like that. To view this value on the client side, I use Mustache. If this script was executed by the administrator, it is of course easy to capture his session. However, I noticed that Mustache by default avoids these values and \ "<> when you use the {{}} syntax. I need to worry about XSS when the value from the database is inserted into

 <p>{{value}}</p>

or even

 <p data-id='{{value}}'>something</p>

? Should I perhaps browse my Mustache templates to find any vulnerable code, or if I will not use

 <script>{{value}}</script>

I'm safe?

+4

xss mustache

Ziarno Apr 15 '13 at 12:45

source share

1 answer

Ben regenspan · Accepted Answer · 2013-06-12T18:03:44+0000

Well, you should always worry :) But yes, the Mustache achieves the goal you are talking about here, protecting your examples from XSS (except when you output the value directly to the <script> ).

Note. Make sure the Mustache implementation you use displays single quotes. Apparently, this is not in the specification ( https://github.com/mustache/spec/issues/69 ), but the main implementations, fortunately, avoid it anyway.

Mustache XSS-proof?

More articles: