Mustache

The content below is based on OffSec's WEB-200 course.

Mustache differs from other templating engines because it is "logic-less," meaning it pushes developers to keep logic within the controller rather than the view. It supports only simple loops and conditional statements, offering no access to the underlying programming language. This design makes it significantly harder to achieve RCE through SSTI; the result of a Mustache SSTI is information disclosure or XSS.

Developers often found Mustache too restrictive and because of this, the Handlebars templating engine was created.