JavaScript : Mixing template languages

The application uses several template engines. This can lead to the Cross Site Scripting (XSS) vulnerability.

The application is configured to work with several template languages. This potentially allows attackers to bypass escaping of expressions, which leads to cross-site scripting vulnerabilities. When mixing templates, the protection that was previously implemented for one of the templates may stop working. In the most innocuous case, this can lead to the fact that the functionality will not work properly, but it can also allow malicious users to bypass protection.

Mixing template languages (for example, using a function to wrap an AngularJS template within a Python Jinja template) is very dangerous. An embedded template language will not safely escape the AngularJS expressions, so any user-controlled values in the template will cause security errors that lead to XSS.