Code Review

What to look for

There are several ways the template injection can happen, below you can find some examples.

Spring Boot Thymeleaf

Utext

Mainly during code review you should look for places where utext (unescaped text) is passed to the output and you are able to set this particular expression value.

<!-- Executes/outputs HTML; dangerous if upstream allows expressions -->
<p th:utext="${user.bio}"></p>  

User controlled template text

String body = request.getParameter("body"); // Attacker controls template text
Context ctx = new Context();
ctx.setVariable("x", 1);
String html = templateEngine.process(body, ctx); // Renders attacker’s template

Java EE Expression Language (.jsp)

Unescaped output

<!-- EscapeXML is set to false -->
<c:out value="${param.note}" escapeXml="false" />

Evaluating EL dynamically

// Don't do this: evaluating arbitrary EL strings
String expr = request.getParameter("expr");

// Executes EL
Object val = javax.el.ELProcessor.class.getConstructor().newInstance().eval(expr);

Python Jinja2

Rendering user-supplied template text (true SSTI)

# Flask example
from flask import request
from jinja2 import Environment

env = Environment()  # regular env, not sandboxed
user_tpl = request.args.get("tpl", "")         # attacker controls template source
return env.from_string(user_tpl).render(user="Alice")  # evaluates attacker code

Escaping turned off

<!-- profile.html -->
<p>{{ bio|safe }}</p>  <!-- if bio is user-controlled, this is XSS -->

Building templates dynamically with user fragments

frag = request.args.get("frag", "")
tpl = f"<h1>Hello</h1>{frag}"       # user content becomes template source
return render_template_string(tpl)   # evaluates any Jinja syntax inside frag