89 return strings.ReplaceAll(s, "\"", "\\\"")
90 },
91 "safe": func(s string) template.HTML {
92 return template.HTML(fmt.Sprintf("%q", s)) 93 },
94 "shellsplit": func(s string) ([]string, error) {
95 return shellquote.Split(s)
13 return common.CoalesceString(ss...)
14 },
15 "safe": func(s string) template.HTML {
16 return template.HTML(fmt.Sprintf("%q", s))17 },
18 "upper": func(s string) string {
19 return common.UpperName(s)
607func templateHelpers() map[string]interface{} {
608 return map[string]interface{}{
609 "safe": func(s string) template.HTML {
610 return template.HTML(fmt.Sprintf("%q", s))611 },
612 }
613}
140 return c.RenderTemplate("404", params)
141 }
142
143 params["Body"] = template.HTML(d.Body)144 params["Breadcrumbs"] = documents.Breadcrumbs(d.Slug)
145 params["Category"] = d.Category()
146 params["Path"] = d.Path
88 return i*16 + 10
89 },
90 "join": func(sep string, ss []string) template.HTML {
91 return template.HTML(strings.Join(ss, sep)) 92 },
93 "mul": func(x, y int) int {
94 return x * y
Potential unescaped data in HTML template.
Do not use external values in the template without escaping as it will not auto-escape HTML and could lead to code injection attacks.
Recommendations:
template.JS
: Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.template.HTML
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.HTMLAttr
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.URL
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// Tainted untrusted JSON
a := `{"name": "untrusted"}`
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(a),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// We assume that hardcoded template strings are safe as the programmer would
// need to be explicitly shooting themselves in the foot (as below)
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(`{"name": "trusted"}`),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}