Client Side Template Injection - Vulnerability Database

Client Side Template Injection

Description

Client-Side Template Injection (CSTI) is a vulnerability that occurs when user-controlled input is embedded into client-side template expressions without proper sanitization. Unlike traditional Cross-Site Scripting (XSS), CSTI exploits the template engine itself (such as AngularJS, Vue.js, or React) to execute arbitrary JavaScript code. When an attacker injects malicious template syntax, the framework processes it as legitimate code, leading to code execution in the victim's browser.

Remediation

Implement the following security measures to prevent Client-Side Template Injection:

1. Avoid Rendering User Input in Templates:
Never directly embed unsanitized user input into template expressions. Instead of using dynamic template compilation, use data binding with pre-compiled templates.

2. Use Framework-Specific Security Features:

For AngularJS: Avoid using ng-bind-html with user input; use ng-bind or {{ }} interpolation which automatically escapes content
For Vue.js: Use v-text instead of v-html for user-controlled content
For React: Rely on JSX's automatic escaping; avoid dangerouslySetInnerHTML with user input

3. Implement Content Security Policy (CSP):
Deploy a strict CSP header to prevent inline script execution and restrict script sources:

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'

4. Apply Context-Aware Output Encoding:
Sanitize all user input before rendering. Use established libraries appropriate for your framework:

// Example: Sanitizing in JavaScript before template rendering
const DOMPurify = require('dompurify');
const cleanInput = DOMPurify.sanitize(userInput);

5. Disable Template Expression Evaluation:
If using AngularJS, consider using the $sceProvider to configure strict contextual escaping, or migrate to newer frameworks with better security defaults.

6. Input Validation:
Implement strict server-side and client-side validation to reject input containing template syntax characters such as {{, }}, ${, and other framework-specific delimiters.