Snyk warning: Cross-site Scripting (XSS)

Question

Snyk warning: Cross-site Scripting (XSS)

Closed this issue a year ago · 1 comments

https://security.snyk.io/vuln/SNYK-JS-CURLYBRACKETPARSER-1297106

Answer 1 · 2023-03-23T00:01:56.000Z

Thank you for your information.

The example there is general blah blah. CurlyBracketParser is not a template library, but a general string parser, independent of HTML or web. We explicitly don't want to sanitize strings, because we don't want to change the original data input. It is a design decision whether implicit sanitizing is supported or explicitly left to the developer. This is not the case here, nor is it planned.

In summary: The linked report is bullshit.

So have fun, using CurlyBracketParser. If you need a good templating engine, have a look at EJS.