GMS-2016-71: XSS in autoescape mode

October 17, 2016

Nunjucks has a cross site scripting (XSS) vulnerability in autoescape mode: all template vars should automatically be escaped. By using an array for the keys, it is possible to bypass autoescaping and inject content into the DOM.

References

github.com/matt-/nunjucks_test
github.com/mozilla/nunjucks/commit/038ba1e29990ca0eeafcf77125f4d9f960723f60
github.com/mozilla/nunjucks/issues/835

Detect and mitigate GMS-2016-71 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →