Missing escape of HTML entities in Handlebars template compilation

Description

As a templating engine, Handlebars generates HTML markup dynamically. Setting noEscape to true disables escaping HTML entities within the template output itself.

This is a security risk as it could lead to Cross-Site Scripting (XSS) vulnerabilities if the template is from an untrusted source.

Remediations

❌ Do not set noEscape to true when compiling Handlebars templates

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_handlebars_no_escape

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_handlebars_no_escape