go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr

Community Favorite
profile photo of semgrepsemgrep
Author
49,147
Download Count*

Found a formatted template string passed to 'template. HTMLAttr()'. 'template.HTMLAttr()' does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.

Run Locally

Run in CI

Defintion

rules:
  - id: unescaped-data-in-htmlattr
    message: Found a formatted template string passed to 'template. HTMLAttr()'.
      'template.HTMLAttr()' does not escape contents. Be absolutely sure there
      is no user-controlled data in this template or validate and sanitize the
      data before passing it into the template.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://golang.org/pkg/html/template/#HTMLAttr
      category: security
      technology:
        - go
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - go
    severity: WARNING
    pattern-either:
      - pattern: template.HTMLAttr($T + $X, ...)
      - pattern: template.HTMLAttr(fmt.$P("...", ...), ...)
      - pattern: |
          $T = "..."
          ...
          $T = $FXN(..., $T, ...)
          ...
          template.HTMLAttr($T, ...)
      - pattern: |
          $T = fmt.$P("...", ...)
          ...
          template.HTMLAttr($T, ...)
      - pattern: |
          $T, $ERR = fmt.$P("...", ...)
          ...
          template.HTMLAttr($T, ...)
      - pattern: |
          $T = $X + $Y
          ...
          template.HTMLAttr($T, ...)
      - pattern: |-
          $T = "..."
          ...
          $OTHER, $ERR = fmt.$P(..., $T, ...)
          ...
          template.HTMLAttr($OTHER, ...)

Examples

unescaped-data-in-htmlattr.go

package main

import (
	"html/template"
	"net/http"
)

const tmpl = ""

func Concat(r *http.Request) template.HTML {
	customerId := r.URL.Query().Get("id")
	// ruleid: unescaped-data-in-htmlattr
	tmpl := "<html><body><h1>" + customerId + "</h1></body></html>"
	return template.HTMLAttr(tmpl)
}