JS: Add similar test for hbs

asgerf · asgerf · commit 1444ec52552d · 2021-08-11T12:50:54.000+02:00
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected
@@ -5,6 +5,12 @@ nodes
 | app.js:17:25:17:48 | req.que ... shSink1 |
 | app.js:19:35:19:68 | req.que ... rString |
 | app.js:19:35:19:68 | req.que ... rString |
+| app.js:34:30:34:58 | req.que ... tedCode |
+| app.js:34:30:34:58 | req.que ... tedCode |
+| app.js:36:25:36:48 | req.que ... shSink1 |
+| app.js:36:25:36:48 | req.que ... shSink1 |
+| app.js:38:35:38:68 | req.que ... rString |
+| app.js:38:35:38:68 | req.que ... rString |
 | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
@@ -14,20 +20,44 @@ nodes
 | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
 | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
 | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
+| views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:13:42:13:60 | dataInGeneratedCode |
+| views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:16:22:16:35 | backslashSink1 |
+| views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} |
+| views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} |
+| views/hbs_sinks.hbs:21:42:21:65 | dataInE ... rString |
 edges
 | app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
 | app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
 | app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
 | app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
 | app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
 | app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
+| app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:13:42:13:60 | dataInGeneratedCode |
+| app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:13:42:13:60 | dataInGeneratedCode |
+| app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:16:22:16:35 | backslashSink1 |
+| app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:16:22:16:35 | backslashSink1 |
+| app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:21:42:21:65 | dataInE ... rString |
+| app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:21:42:21:65 | dataInE ... rString |
 | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
 | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
 | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
+| views/hbs_sinks.hbs:13:42:13:60 | dataInGeneratedCode | views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:13:42:13:60 | dataInGeneratedCode | views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:16:22:16:35 | backslashSink1 | views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:16:22:16:35 | backslashSink1 | views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:21:42:21:65 | dataInE ... rString | views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} |
+| views/hbs_sinks.hbs:21:42:21:65 | dataInE ... rString | views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} |
 #select
 | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | $@ flows to here and is interpreted as code. | app.js:15:30:15:58 | req.que ... tedCode | User-provided value |
 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | $@ flows to here and is interpreted as code. | app.js:17:25:17:48 | req.que ... shSink1 | User-provided value |
 | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | $@ flows to here and is interpreted as code. | app.js:19:35:19:68 | req.que ... rString | User-provided value |
+| views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} | app.js:34:30:34:58 | req.que ... tedCode | views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} | $@ flows to here and is interpreted as code. | app.js:34:30:34:58 | req.que ... tedCode | User-provided value |
+| views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} | app.js:36:25:36:48 | req.que ... shSink1 | views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} | $@ flows to here and is interpreted as code. | app.js:36:25:36:48 | req.que ... shSink1 | User-provided value |
+| views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} | app.js:38:35:38:68 | req.que ... rString | views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} | $@ flows to here and is interpreted as code. | app.js:38:35:38:68 | req.que ... rString | User-provided value |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/Xss.expected b/javascript/ql/test/library-tests/frameworks/Templating/Xss.expected
@@ -9,6 +9,16 @@ nodes
 | app.js:16:33:16:64 | req.que ... CodeRaw |
 | app.js:20:38:20:74 | req.que ... ringRaw |
 | app.js:20:38:20:74 | req.que ... ringRaw |
+| app.js:27:18:27:34 | req.query.rawHtml |
+| app.js:27:18:27:34 | req.query.rawHtml |
+| app.js:30:26:30:46 | req.que ... tmlProp |
+| app.js:30:26:30:46 | req.que ... tmlProp |
+| app.js:33:33:33:64 | req.que ... eralRaw |
+| app.js:33:33:33:64 | req.que ... eralRaw |
+| app.js:35:33:35:64 | req.que ... CodeRaw |
+| app.js:35:33:35:64 | req.que ... CodeRaw |
+| app.js:39:38:39:74 | req.que ... ringRaw |
+| app.js:39:38:39:74 | req.que ... ringRaw |
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
@@ -24,6 +34,21 @@ nodes
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
+| views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
+| views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
+| views/hbs_sinks.hbs:4:13:4:19 | rawHtml |
+| views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
+| views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
+| views/hbs_sinks.hbs:7:13:7:30 | object.rawHtmlProp |
+| views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} |
+| views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} |
+| views/hbs_sinks.hbs:11:47:11:68 | dataInS ... eralRaw |
+| views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} |
+| views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} |
+| views/hbs_sinks.hbs:14:46:14:67 | dataInG ... CodeRaw |
+| views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} |
+| views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} |
+| views/hbs_sinks.hbs:22:43:22:69 | dataInE ... ringRaw |
 edges
 | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
 | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
@@ -35,6 +60,16 @@ edges
 | app.js:16:33:16:64 | req.que ... CodeRaw | views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw |
 | app.js:20:38:20:74 | req.que ... ringRaw | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
 | app.js:20:38:20:74 | req.que ... ringRaw | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
+| app.js:27:18:27:34 | req.query.rawHtml | views/hbs_sinks.hbs:4:13:4:19 | rawHtml |
+| app.js:27:18:27:34 | req.query.rawHtml | views/hbs_sinks.hbs:4:13:4:19 | rawHtml |
+| app.js:30:26:30:46 | req.que ... tmlProp | views/hbs_sinks.hbs:7:13:7:30 | object.rawHtmlProp |
+| app.js:30:26:30:46 | req.que ... tmlProp | views/hbs_sinks.hbs:7:13:7:30 | object.rawHtmlProp |
+| app.js:33:33:33:64 | req.que ... eralRaw | views/hbs_sinks.hbs:11:47:11:68 | dataInS ... eralRaw |
+| app.js:33:33:33:64 | req.que ... eralRaw | views/hbs_sinks.hbs:11:47:11:68 | dataInS ... eralRaw |
+| app.js:35:33:35:64 | req.que ... CodeRaw | views/hbs_sinks.hbs:14:46:14:67 | dataInG ... CodeRaw |
+| app.js:35:33:35:64 | req.que ... CodeRaw | views/hbs_sinks.hbs:14:46:14:67 | dataInG ... CodeRaw |
+| app.js:39:38:39:74 | req.que ... ringRaw | views/hbs_sinks.hbs:22:43:22:69 | dataInE ... ringRaw |
+| app.js:39:38:39:74 | req.que ... ringRaw | views/hbs_sinks.hbs:22:43:22:69 | dataInE ... ringRaw |
 | views/ejs_sinks.ejs:4:13:4:19 | rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:13:4:19 | rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
@@ -45,9 +80,24 @@ edges
 | views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
 | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/hbs_sinks.hbs:4:13:4:19 | rawHtml | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
+| views/hbs_sinks.hbs:4:13:4:19 | rawHtml | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
+| views/hbs_sinks.hbs:7:13:7:30 | object.rawHtmlProp | views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
+| views/hbs_sinks.hbs:7:13:7:30 | object.rawHtmlProp | views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
+| views/hbs_sinks.hbs:11:47:11:68 | dataInS ... eralRaw | views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} |
+| views/hbs_sinks.hbs:11:47:11:68 | dataInS ... eralRaw | views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} |
+| views/hbs_sinks.hbs:14:46:14:67 | dataInG ... CodeRaw | views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} |
+| views/hbs_sinks.hbs:14:46:14:67 | dataInG ... CodeRaw | views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} |
+| views/hbs_sinks.hbs:22:43:22:69 | dataInE ... ringRaw | views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} |
+| views/hbs_sinks.hbs:22:43:22:69 | dataInE ... ringRaw | views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} |
 #select
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
 | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> | app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> | Cross-site scripting vulnerability due to $@. | app.js:11:26:11:46 | req.que ... tmlProp | user-provided value |
 | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> | app.js:14:33:14:64 | req.que ... eralRaw | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> | Cross-site scripting vulnerability due to $@. | app.js:14:33:14:64 | req.que ... eralRaw | user-provided value |
 | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> | app.js:16:33:16:64 | req.que ... CodeRaw | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> | Cross-site scripting vulnerability due to $@. | app.js:16:33:16:64 | req.que ... CodeRaw | user-provided value |
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> | app.js:20:38:20:74 | req.que ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> | Cross-site scripting vulnerability due to $@. | app.js:20:38:20:74 | req.que ... ringRaw | user-provided value |
+| views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} | app.js:27:18:27:34 | req.query.rawHtml | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} | Cross-site scripting vulnerability due to $@. | app.js:27:18:27:34 | req.query.rawHtml | user-provided value |
+| views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} | app.js:30:26:30:46 | req.que ... tmlProp | views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} | Cross-site scripting vulnerability due to $@. | app.js:30:26:30:46 | req.que ... tmlProp | user-provided value |
+| views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} | app.js:33:33:33:64 | req.que ... eralRaw | views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} | Cross-site scripting vulnerability due to $@. | app.js:33:33:33:64 | req.que ... eralRaw | user-provided value |
+| views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} | app.js:35:33:35:64 | req.que ... CodeRaw | views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} | Cross-site scripting vulnerability due to $@. | app.js:35:33:35:64 | req.que ... CodeRaw | user-provided value |
+| views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} | app.js:39:38:39:74 | req.que ... ringRaw | views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} | Cross-site scripting vulnerability due to $@. | app.js:39:38:39:74 | req.que ... ringRaw | user-provided value |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/app.js b/javascript/ql/test/library-tests/frameworks/Templating/app.js
@@ -20,3 +20,22 @@ app.get('/ejs', (req, res) => {
         dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw,
     });
 });
+
+app.get('/hbs', (req, res) => {
+    res.render('hbs_sinks', {
+        escapedHtml: req.query.escapedHtml,
+        rawHtml: req.query.rawHtml,
+        rawHtmlSafeValue: 'safe',
+        object: {
+            rawHtmlProp: req.query.rawHtmlProp
+        },
+        dataInStringLiteral: req.query.dataInStringLiteral,
+        dataInStringLiteralRaw: req.query.dataInStringLiteralRaw,
+        dataInGeneratedCode: req.query.dataInGeneratedCode,
+        dataInGeneratedCodeRaw: req.query.dataInGeneratedCodeRaw,
+        backslashSink1: req.query.backslashSink1,
+        backslashSink2: req.query.backslashSink2,
+        dataInEventHandlerString: req.query.dataInEventHandlerString,
+        dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw,
+    });
+});
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/test.expected b/javascript/ql/test/library-tests/frameworks/Templating/test.expected
@@ -3,10 +3,12 @@ getTemplateInstantiationSyntax
 | consolidate.js:4:1:4:90 | consoli ...  => {}) | mustache |
 getLikelyTemplateSyntax
 | views/ejs_sinks.ejs:0:0:0:0 | views/ejs_sinks.ejs | ejs |
+| views/hbs_sinks.hbs:0:0:0:0 | views/hbs_sinks.hbs | mustache |
 | views/instantiated_as_ejs.html:0:0:0:0 | views/instantiated_as_ejs.html | ejs |
 | views/instantiated_as_hbs.html:0:0:0:0 | views/instantiated_as_hbs.html | mustache |
 getTargetFile
 | app.js:6:5:21:6 | res.ren ... \\n    }) | views/ejs_sinks.ejs:0:0:0:0 | views/ejs_sinks.ejs |
+| app.js:25:5:40:6 | res.ren ... \\n    }) | views/hbs_sinks.hbs:0:0:0:0 | views/hbs_sinks.hbs |
 | consolidate.js:3:1:3:83 | consoli ...  => {}) | views/instantiated_as_ejs.html:0:0:0:0 | views/instantiated_as_ejs.html |
 | consolidate.js:4:1:4:90 | consoli ...  => {}) | views/instantiated_as_hbs.html:0:0:0:0 | views/instantiated_as_hbs.html |
 xssSink
@@ -16,9 +18,18 @@ xssSink
 | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
 | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
+| views/hbs_sinks.hbs:5:9:5:32 | {{{ rawHtmlSafeValue }}} |
+| views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
+| views/hbs_sinks.hbs:11:43:11:72 | {{{ dataInStringLiteralRaw }}} |
+| views/hbs_sinks.hbs:14:42:14:71 | {{{ dataInGeneratedCodeRaw }}} |
+| views/hbs_sinks.hbs:22:39:22:73 | {{{ dataInEventHandlerStringRaw }}} |
 | views/instantiated_as_ejs.html:4:9:4:23 | <%- xss_sink %> |
 | views/instantiated_as_hbs.html:7:9:7:24 | {{{ xss_sink }}} |
 codeInjectionSink
 | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
 | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
+| views/hbs_sinks.hbs:13:39:13:63 | {{ dataInGeneratedCode }} |
+| views/hbs_sinks.hbs:16:19:16:38 | {{ backslashSink1 }} |
+| views/hbs_sinks.hbs:21:39:21:68 | {{ dataInEventHandlerString }} |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs b/javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs
@@ -0,0 +1,24 @@
+<html>
+    <body>
+        {{ escapedHtml }}
+        {{{ rawHtml }}}
+        {{{ rawHtmlSafeValue }}}
+
+        {{{ object.rawHtmlProp }}}
+
+        <script>
+            var dataInStringLiteral = "{{ dataInStringLiteral }}";
+            var dataInStringLiteralRaw = "{{{ dataInStringLiteralRaw }}}";
+
+            var dataInGeneratedCode = {{ dataInGeneratedCode }};
+            var dataInGeneratedCodeRaw = {{{ dataInGeneratedCodeRaw }}};
+
+            init("{{ backslashSink1 }}", "{{ backslashSink2 }}");
+
+            var ejs = "<%= rawHtml %>";
+        </script>
+
+        <button onclick="doSomething('{{ dataInEventHandlerString }}')">Click me</button>
+        <button onclick="doSomething('{{{ dataInEventHandlerStringRaw }}}')">Click me</button>
+    </body>
+</html>
