Prior to 0.8.5, EJS doesn't escape the ' (apostrophe) character when using the <%= %> syntax. This can lead to XSS accidents! Consider the template:<img src='<%= prefs.avatar %>'>When given user input x' onerror
Vulnerability Details The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which ...