go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr

Community Favorite
profile photo of returntocorpreturntocorp
Author
49,147
Download Count*
LGPL Commons Clause
License

Found a formatted template string passed to 'template. HTMLAttr()'. 'template.HTMLAttr()' does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unescaped-data-in-htmlattr
    message: Found a formatted template string passed to 'template. HTMLAttr()'.
      'template.HTMLAttr()' does not escape contents.  Be absolutely sure there
      is no user-controlled data in this template or  validate and sanitize the
      data before passing it into the template.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://golang.org/pkg/html/template/#HTMLAttr
      category: security
      technology:
        - go
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: WARNING
    pattern-either:
      - pattern: template.HTMLAttr($T + $X, ...)
      - pattern: template.HTMLAttr(fmt.$P("...", ...), ...)
      - pattern: |
          $T = "..."
          ...
          $T = $FXN(..., $T, ...)
          ...
          template.HTMLAttr($T, ...)
      - pattern: |
          $T = fmt.$P("...", ...)
          ...
          template.HTMLAttr($T, ...)
      - pattern: |
          $T, $ERR = fmt.$P("...", ...)
          ...
          template.HTMLAttr($T, ...)
      - pattern: |
          $T = $X + $Y
          ...
          template.HTMLAttr($T, ...)
      - pattern: |-
          $T = "..."
          ...
          $OTHER, $ERR = fmt.$P(..., $T, ...)
          ...
          template.HTMLAttr($OTHER, ...)

Examples

unescaped-data-in-htmlattr.go

package main

import (
	"html/template"
	"net/http"
)

const tmpl = ""

func Concat(r *http.Request) template.HTML {
	customerId := r.URL.Query().Get("id")
	// ruleid: unescaped-data-in-htmlattr
	tmpl := "<html><body><h1>" + customerId + "</h1></body></html>"
	return template.HTMLAttr(tmpl)
}