Using a moustache inside a HTML attribute wrapped with single quotes will allow a user to execute malicious JavaScript because Clostache doesn't escape single quotes.
Example: <a href='/user/{{username}}'>{{username}}</a> can be easily escaped if username was set to foo' onmouseover='alert(1).
We should also be escaping more characters due to the crazy nature in which people can write renderable HTML, but single quoted attributes is a pretty common thing.
Using a moustache inside a HTML attribute wrapped with single quotes will allow a user to execute malicious JavaScript because Clostache doesn't escape single quotes.
Example:
<a href='/user/{{username}}'>{{username}}</a>
can be easily escaped ifusername
was set tofoo' onmouseover='alert(1)
.We should also be escaping more characters due to the crazy nature in which people can write renderable HTML, but single quoted attributes is a pretty common thing.
Reference: http://wonko.com/post/html-escaping