Go

Go

Made by DeepSource

Incomplete URL scheme validation GO-S1004

Security
Major
Autofix a03 cwe-20 sans top 25 owasp top 10

Validation logic against just javascript is not enough. Instead, it should be extended for vbscript and data as URLs with these schemes also allow encoding the code with similar semantics as javascript scheme.

URLs with the particular scheme javascript allow encoding script when visited. Although scripting helps create feature-rich web applications, it could also be exploited for malicious purposes, making URLs from untrusted sources risky as they might contain harmful code. And as URLs with vbscript and data schemes are similar, it is recommended to reject the URLs with schemes - javascript, vbscript and data.

Bad practice

func validateURLScheme(rawURL string) string {
    u, err := url.Parse(rawURL)
    if err != nil || u.Scheme == "javascript" {
        return "about:blank"
    }
    return rawURL
}

Recommended

func validateURLScheme(rawURL string) string {
    u, err := url.Parse(rawURL)
    if err != nil || u.Scheme == "javascript" || u.Scheme == "data" || u.Scheme == "vbscript" {
        return "about:blank"
    }
    return rawURL
}

References