SECURITY.md explained

[ertygiq]

In the SECURITY.md file it's mentioned that the following code is insecure:

app.get('/', (req, res) => {
    res.render('index', req.query);
});

Could you explain why?

[mde]

Because you are not checking what inputs are going into the render method. You are blindly passing end-user inputs into EJS, which means (depending on what's in your template) they could run arbitrary (and potentially malicious) JavaScript code on your server. It's a very similar security problem as SQL injection.