forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathHtmlTemplateEscapingBypassXss.qhelp
More file actions
28 lines (28 loc) · 975 Bytes
/
HtmlTemplateEscapingBypassXss.qhelp
File metadata and controls
28 lines (28 loc) · 975 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
In Go, the <code>html/template</code> package has a few special types
(<code>HTML</code>, <code>HTMLAttr</code>, <code>JS</code>, <code>JSStr</code>, <code>CSS</code>,
<code>Srcset</code>, and <code>URL</code>)
that allow values to be rendered as-is in the template, avoiding the escaping that all the other strings go
through.
</p>
<p>Using them on user-provided values allows for a cross-site scripting vulnerability.</p>
</overview>
<recommendation>
<p>
Make sure to never use those types on untrusted content.
</p>
</recommendation>
<example>
<p>
In the first example you can see the special types and how they are used in a template:
</p>
<sample src="HtmlTemplateEscapingBypassXssBad.go" />
<p>
To avoid XSS, all user input should be a normal string type.
</p>
<sample src="HtmlTemplateEscapingBypassXssGood.go" />
</example>
</qhelp>