Critiq Docs
Get started
security.output-encoding

Keep Handlebars escaping enabled at template trust boundaries

Server-side Handlebars compilation should not disable HTML escaping with `noEscape: true`.

#Metadata

Rule ID
ts.security.handlebars-no-escape
Severity
high
Confidence
0.95
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
output-encoding, rules-catalog, security, templating, xss

#Why it matters

Disabling Handlebars escaping weakens the template trust boundary and can turn server-rendered output into attacker-controlled HTML.

#Remediation

Leave Handlebars escaping enabled, or treat raw HTML rendering as an explicit, narrowly reviewed trust boundary.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.handlebars-no-escape.rule.yaml.

Back to registryOpen rule in repository