Audit the usage of unescaped data in HTML templates GSC-G203
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
89 return strings.ReplaceAll(s, "\"", "\\\"")
90 },
91 "safe": func(s string) template.HTML {
92 return template.HTML(fmt.Sprintf("%q", s)) 93 },
94 "shellsplit": func(s string) ([]string, error) {
95 return shellquote.Split(s)The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
13 return common.CoalesceString(ss...)
14 },
15 "safe": func(s string) template.HTML {
16 return template.HTML(fmt.Sprintf("%q", s))17 },
18 "upper": func(s string) string {
19 return common.UpperName(s)The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
607func templateHelpers() map[string]interface{} {
608 return map[string]interface{}{
609 "safe": func(s string) template.HTML {
610 return template.HTML(fmt.Sprintf("%q", s))611 },
612 }
613}The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
140 return c.RenderTemplate("404", params)
141 }
142
143 params["Body"] = template.HTML(d.Body)144 params["Breadcrumbs"] = documents.Breadcrumbs(d.Slug)
145 params["Category"] = d.Category()
146 params["Path"] = d.PathThe used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
88 return i*16 + 10
89 },
90 "join": func(sep string, ss []string) template.HTML {
91 return template.HTML(strings.Join(ss, sep)) 92 },
93 "mul": func(x, y int) int {
94 return x * y
Description
Potential unescaped data in HTML template.
Do not use external values in the template without escaping as it will not auto-escape HTML and could lead to code injection attacks.
Recommendations:
template.JS: Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.template.HTML: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.HTMLAttr: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.URL: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
Bad practice
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// Tainted untrusted JSON
a := `{"name": "untrusted"}`
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(a),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
Recommended
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// We assume that hardcoded template strings are safe as the programmer would
// need to be explicitly shooting themselves in the foot (as below)
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(`{"name": "trusted"}`),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}