Cross Site Scripting (XSS) via template functions
Description
The use of template functions such as template.HTML, template.JS, template.URL, and template.HTMLAttr with user input can lead to Cross Site Scripting (XSS) attacks. It is essential to encode the data depending on the specific context it is used in to prevent such attacks.
Examples
Insecure Code
go
template.HTML(userInput)Secure Code
go
const safeHTML = "<div>hardcoded, safe html</div>"; return template.HTML(safeHTML)Remediation
Remove these template types from the application or hardcode them as const strings prior to conversion. Use a safe encoding function to encode user input, such as the 'html/template' package in Go.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0790 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xss, cross-site-scripting, template-injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |