Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Disabling markup escaping in Mustache templates allows untrusted user input to be rendered as raw HTML. This removes a key defense against cross-site scripting (XSS) attacks.
Impact#
If markup escaping is turned off, attackers can inject malicious scripts into your application’s output. This could let them steal user data, hijack sessions, or compromise user accounts, leading to data breaches and loss of user trust.