Why this matters
Unsanitized user input in server-side templates can allow attackers to manipulate template rendering logic, leading to remote code execution vulnerabilities.
Ensure that all user inputs in templates are properly validated and sanitized to prevent SSTI attacks.
Unsanitized user input in server-side templates can allow attackers to manipulate template rendering logic, leading to remote code execution vulnerabilities.
Side-by-side examples engineers can pattern-match during review.
<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<body>
<span th:text="${__${tainted}__}"></span> <!-- Noncompliant -->
</div>
</body>
</html><!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<body>
<span th:text="${tainted}"></span>
</div>
</body>
</html><!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<body>
<span th:text="${__${tainted}__}"></span> <!-- Noncompliant -->
</div>
</body>
</html><!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<body>
<span th:text="${tainted}"></span>
</div>
</body>
</html>From the same buckets as this rule.