File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -24,6 +24,26 @@ disclose the issue.
2424After receiving your email, we will respond as soon as possible and indicate
2525what we plan to do.
2626
27+ ### A note on ` _.template `
28+
29+ [ ` template ` ] [ template ] allows the user to inject arbitrary JavaScript
30+ code in the template string. This is allowed by design. In fact, it is
31+ the main feature of ` template ` . Without this feature, templates would
32+ not be able to have conditional or repeated sections.
33+
34+ Because of this feature, it is the responsibility of the user not to
35+ pass any untrusted input to ` template ` . The contract is similar to
36+ that of the ` Function ` constructor or even ` eval ` : this function is so
37+ powerful that it can be dangerous, so use it with care.
38+
39+ If this does not sound exactly like what you were considering to
40+ report, or in case of doubt, please do send us a report. Of course, we
41+ would rather be safe than sorry. You would not be the first to find a
42+ [ vulnerability in ` template ` ] [ cve-2021-23358 ] .
43+
44+ [ template ] : https://underscorejs.org/#template
45+ [ cve-2021-23358 ] : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
46+
2747## Disclosure policy
2848
2949After confirming a vulnerability, we will generally release a security update
You can’t perform that action at this time.
0 commit comments