What is CSTI

Client-Side Template Injection (CSTI) is a security vulnerability that occurs when untrusted input is included in client-side templates without proper validation. This can enable attackers to execute malicious scripts in a user's browser, potentially compromising sensitive information or altering the application's behavior. To prevent CSTI, developers must ensure strict validation and encoding of user input before it is injected into templates.

<div id="some-element-id">
    <p>
        Hello {{ username }}, your balance is {{ balance }}
    </p>
    <!-- [...] -->
</div>

Exploitation

In situations where the template is executed, you can use the following code to perform JavaScript execution:

{{_s.constructor("alert(origin)")()}}