hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update javascript/ql/src/experimental/Security/CWE-94/ServerSideTemplateInjection.qhelp

Browse Source 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
This commit is contained in:
monkey-junkie
2020-05-05 15:24:24 +03:00
committed by GitHub
parent 0aaa8af3bd
commit a8019705b5
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/experimental/Security/CWE-94/ServerSideTemplateInjection.qhelp
View File

@@ -27,7 +27,7 @@ The Pug template engine (and other template engines) provides an interpolation f
For example, <code>Hello #{user.username}!</code>, could be used for printing a username from a scoped variable user,
but the <code>user.username</code> expression will be executed as JavaScript.
Unsafe injection of user input in a template therefore allows an attacker to inject arbitrary JavaScript code.
For example, a payload of <code>#{global.process.exit(1)}</code> will cause the server to crash.
For example, a payload of <code>#{global.process.exit(1)}</code> will cause the below server to crash.
</p>
<sample src="examples/ServerSideTemplateInjection.js" />