Petersoj

**Name of the Vulnerable Software and Affected Versions** jte (Java Template Engine) versions 3.1.15 and earlier **Description** The issue affects Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks), making them subject to XSS. The `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped to prevent undesired interpolation. HTML templates rendered by Jte's `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable. **Recommendations** To resolve this issue, users are advised to upgrade to version 3.1.16 or later. As a temporary workaround, consider disabling the `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class until a patch is available. Restrict access to the `OwaspHtmlTemplateOutput` module to minimize the risk of exploitation. Avoid using the `script` tags or script attributes that contain Javascript template strings (backticks) in the affected API endpoint until the issue is resolved.