False positive on unquoted-attribute-var for Angular

[Sjord]

Describe the bug semgrep-rules/generic/html-templates/security/unquoted-attribute-var.yaml at develop · returntocorp/semgrep-rules

This triggers for Angular templates with unquoted attributes, but Angular actually behaves correctly and replaces the attribute value, instead of doing string replace.

example.html:

<h2 class="title" title={{name}}>Hello {{name}}</h2>

$ semgrep -c 'r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var' example.html

    example.html
       generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var
          Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could
          inject custom JavaScript handlers. To fix this, add quotes around the template expression,
          like this: "{{ expr }}".
          Details: https://sg.run/weNX

           ▶▶┆ Autofix ▶ s/{{(.*?)}}/"{{\1}}"/g
            1┆ <h2 class="title" title={{name}}>Hello {{name}}</h2>

[ziggythehamster]

This is also an issue in Ember.js, where you have templates that look like this:

<top.heading @hasFilters={{data.foo}}>
...
</top.heading>

Fixing this for Ember would be a matter of considering @attributename={{ ... }} acceptable, unless I'm forgetting some edge case. Fixing this for Angular seems like it might not be possible unless the project can be detected as Angular.