Insecure template rendering detected.

• Rule ID: javascript_express_insecure_template_rendering
• Languages: javascript
• Source: insecure_template_rendering.yml

Description

Do not include externally influenced or user-given input data in rendered templates. This is bad practice and can lead to code injection attacks.

Remediations

✅ Always validate external data (for example, with a safe list) before rendering it in a template.

✅ Sanitize external data before rendering it in a template to remove special characters that could introduce an injection attack.

Resources

• OWASP Injection prevention cheat sheet

Associated CWE

• CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

OWASP Top 10