From 101b07969ae22aa61d822fc1a72c3b7474c86b8a Mon Sep 17 00:00:00 2001
From: Julian Gonggrijp <dev@juliangonggrijp.com>
Date: Fri, 20 Feb 2026 23:04:51 +0100
Subject: [PATCH 1/2] Emphasize that _.template must only be used for trusted
 input in doc

---
 index.html | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/index.html b/index.html
index e2174607d..87b9e9bda 100644
--- a/index.html
+++ b/index.html
@@ -2692,6 +2692,12 @@ <h2 id="utility">Utility Functions</h2>
         should be a hash containing any <tt>_.templateSettings</tt> that should be overridden.
       </p>
 
+      <p role=note>
+        <em><tt>_.template</tt> allows the template author to insert arbitrary
+        JavaScript code by design. This means that you should only pass template
+        code from trusted authors.</em>
+      </p>
+
       <pre>
 var compiled = _.template("hello: &lt;%= name %&gt;");
 compiled({name: 'moe'});

From 54cf593f82f0c082990d9613e8403a3d8d9e5667 Mon Sep 17 00:00:00 2001
From: Julian Gonggrijp <dev@juliangonggrijp.com>
Date: Wed, 25 Feb 2026 21:15:54 +0100
Subject: [PATCH 2/2] Add note about _.template to security policy

---
 SECURITY.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 9d564f97d..afc58ca65 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -24,6 +24,26 @@ disclose the issue.
 After receiving your email, we will respond as soon as possible and indicate
 what we plan to do.
 
+### A note on `_.template`
+
+[`template`][template] allows the user to inject arbitrary JavaScript
+code in the template string. This is allowed by design. In fact, it is
+the main feature of `template`. Without this feature, templates would
+not be able to have conditional or repeated sections.
+
+Because of this feature, it is the responsibility of the user not to
+pass any untrusted input to `template`. The contract is similar to
+that of the `Function` constructor or even `eval`: this function is so
+powerful that it can be dangerous, so use it with care.
+
+If this does not sound exactly like what you were considering to
+report, or in case of doubt, please do send us a report. Of course, we
+would rather be safe than sorry. You would not be the first to find a
+[vulnerability in `template`][cve-2021-23358].
+
+[template]: https://underscorejs.org/#template
+[cve-2021-23358]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
+
 ## Disclosure policy
 
 After confirming a vulnerability, we will generally release a security update