Closed ertygiq closed 1 month ago
Because you are not checking what inputs are going into the render
method. You are blindly passing end-user inputs into EJS, which means (depending on what's in your template) they could run arbitrary (and potentially malicious) JavaScript code on your server. It's a very similar security problem as SQL injection.
In the SECURITY.md file it's mentioned that the following code is insecure:
Could you explain why?