Clarification: 1.3.7 "Built"

[ajayojha]

Verify that the application protects against template injection attacks by not
allowing templates to be built based on untrusted input. Where there is no
alternative, any untrusted input being included dynamically during template
creation must be sanitized or strictly validated.

"built"
What does "built" mean? Many frameworks, templates are dynamic by nature.

"sanitized" or "validated"
Difficult to understand-- What is important and how -- is missing?

I think the sanitization should not be the primary defense in template engines, this is not same as HTML sanitization as far as I know and the requrement doesn't mention the insecure template engines.

[jmanico]

I agree again that sanitization is not the right defense here - sanitizing data and then using is almost always a bad idea and validation/rejection cycles and normal JSON data flows to popular templates are better.

Perhaps:

Verify that the application protects against template injection attacks by not allowing templates to be assembled based on untrusted input. Where there is no alternative, any untrusted input being included dynamically during template creation must be strictly validated.