Escaping backtick and the equal sign #6
Description
Some special characters should be HTML encoded, additionally to the ones that
are being escaped today. I've reviewed other Mustache libraries looking for
how did they handle this topic and whether they had any known vulnerability.
The most active one seems the JavaScript one
(https://github.com/janl/mustache.js). Looking into the Synk vulnerability
database, I've found https://security.snyk.io/vuln/npm:mustache:20151207
(CVE-2015-8862), which leads to XSS exploits and does affect Boost.Mustache,
too.
Two exploits are possible:
- The backtick character seems to have special meaning in ancient versions
of IE (https://html5sec.org/#59, Backtick is added to entityMap janl/mustache.js#388) - When using HTML unquoted attributes (e.g. ), escaping
the equal sign can mitigate the risk of attribute injection. (IMHO attributes
without quotes make kittens die, but this is listed as a vulnerability).
The JavaScript library performs this replacement:
- Backtick is replaced by `
- Equal sign is replaced by =
They also escape the forward slash (#x2f;). I haven't found a vulnerability
to point you too, but I guess that could be added as additional hardening,
if you like.