It was discovered that missing input sanitising in the template function of the Underscore JavaScript library could result in the execution of arbitrary code.