mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
11 lines
359 B
JavaScript
11 lines
359 B
JavaScript
// Unsafe: nunjucks.renderString receives a tainted template *source*
|
|
// string (arg 0) built from req.body; SSTI fires on the source argument.
|
|
const nunjucks = require('nunjucks');
|
|
|
|
function handler(req, res) {
|
|
const src = req.body.template;
|
|
const html = nunjucks.renderString(src, { user: 'anon' });
|
|
res.send(html);
|
|
}
|
|
|
|
module.exports = handler;
|