From 7690404e2fc1688756938e4d2fc19e0fac77d736 Mon Sep 17 00:00:00 2001 From: mde Date: Sat, 27 May 2023 09:53:12 -0700 Subject: [PATCH] Added security banner to README --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 81a9aa10..7355c2f1 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,21 @@ Embedded JavaScript templates
-[![Build Status](https://img.shields.io/travis/mde/ejs/master.svg?style=flat)](https://travis-ci.org/mde/ejs) -[![Developing Dependencies](https://img.shields.io/david/dev/mde/ejs.svg?style=flat)](https://david-dm.org/mde/ejs?type=dev) [![Known Vulnerabilities](https://snyk.io/test/npm/ejs/badge.svg?style=flat)](https://snyk.io/test/npm/ejs) ============================= +Security professionals, before reporting any security issues, please reference the +SECURITY.md +in this project, in particular, the following: "EJS is effectively a JavaScript runtime. +Its entire job is to execute JavaScript. If you run the EJS render method without +checking the inputs yourself, you are responsible for the results." + +In short, DO NOT submit 'vulnerabilities' that include this snippet of code: + +```javascript +app.get('/', (req, res) => { + res.render('index', req.query); +}); +``` + ## Installation ```bash