Add advisory for handlebars-source <4.0.0 for "Quoteless attributes in templates can lead to XSS"

[reedloden]

I just noticed that rubygems tracks handlebars.js via https://rubygems.org/gems/handlebars-source as well, sigh...

https://blog.srcclr.com/handlebars_vulnerability_research_findings/

https://srcclr.com/catalog/vulnerabilities/1878

handlebars-lang/handlebars.js#1083

RetireJS/retire.js@8d3c91e

[reedloden]

@VanessaHenderson How can I get you folks to let RubySec and Node Security Project know about these things when you find them? :)

[reedloden]

This issue also affects mustache.js (see janl/mustache.js@378bcca), which means https://github.com/knapo/mustache-js-rails is affected.

[reedloden]

Requested a CVE from MITRE, as well as an ID from OSVDB.

[phillmv]

Whoa, nice going @VanessaHenderson!

[reedloden]

mustache-js-rails v2.0.3 was just released with a fix for this issue.