Potential XSS in utils.js escapeExpression() regarding equal sign handling?

[quakedc]

I'm using a library that has handlebars as a dependency. My application has been audited (at work) and apparently the audit report shows that there is a potential vulnerability in handlebars (4.0.11). I've attached a screenshot of the issue below.

Does anyone know if this is this valid or a false positive? I don't have access to VulnDB but will try to get more details about it if needed. It seems like it is complaining about the equal sign not being escaped? I'm new to the handlebars code but at first glance it seems fine to me? (The escaping is done at the end of the function.)

[nknapp]

• The code does escape the "equals"-sign (https://github.com/wycats/handlebars.js/blob/4.x/lib/handlebars/utils.js#L8)
• There is also a test case (https://github.com/wycats/handlebars.js/blob/4.x/spec/utils.js#L21)

The change was made in 2015 and should be in all recent release (especially in 4.0.11).
The entry does not seem to be up-to-date. There was a rather long period where the fix was in the git-repo but no release was made. I have made the release in April 2017, so it may just be that the person who wrote this entry has not checked the newer versions.

[quakedc]

Thanks for the quick response. That's what I thought when I quickly glanced over the code. Since I don't have access to VulnDB (and there may be others using it), I'm going to see if I can ask my contact to see if they can report that issue as resolved.