Skip to content

Commit 54cf593

Browse files
committed
Add note about _.template to security policy
1 parent 101b079 commit 54cf593

1 file changed

Lines changed: 20 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,26 @@ disclose the issue.
2424
After receiving your email, we will respond as soon as possible and indicate
2525
what we plan to do.
2626

27+
### A note on `_.template`
28+
29+
[`template`][template] allows the user to inject arbitrary JavaScript
30+
code in the template string. This is allowed by design. In fact, it is
31+
the main feature of `template`. Without this feature, templates would
32+
not be able to have conditional or repeated sections.
33+
34+
Because of this feature, it is the responsibility of the user not to
35+
pass any untrusted input to `template`. The contract is similar to
36+
that of the `Function` constructor or even `eval`: this function is so
37+
powerful that it can be dangerous, so use it with care.
38+
39+
If this does not sound exactly like what you were considering to
40+
report, or in case of doubt, please do send us a report. Of course, we
41+
would rather be safe than sorry. You would not be the first to find a
42+
[vulnerability in `template`][cve-2021-23358].
43+
44+
[template]: https://underscorejs.org/#template
45+
[cve-2021-23358]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
46+
2747
## Disclosure policy
2848

2949
After confirming a vulnerability, we will generally release a security update

0 commit comments

Comments
 (0)