mde
commented
2 years ago Could you please add a statement similar to the following?
"If you give end-users unfettered access to the EJS render method, you are using EJS in an inherently un-secure way. Please do not report security issues that stem from doing that. EJS is effectively a JavaScript runtime. Its entire job is to execute JavaScript. If you run the EJS render method without checking the inputs yourself, you are responsible for the results."
I ask this because we get a ton of supposed security issues that stem from people assuming the render method should be secure. It is not, and nor should it be.
netcode
Adding a basic security policy. Highly inspired by ExpressJS security policy.