go.lang.security.audit.xss.import-text-template.import-text-template

profile photo of semgrepsemgrep
Author
6,305
Download Count*
LGPL Commons Clause
License

When working with web applications that involve rendering user-generated content, it's important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the text/template package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it's recommended to use the html/template package instead, which provides built-in functionality for HTML escaping. By using html/template to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: import-text-template
    message: When working with web applications that involve rendering
      user-generated  content, it's important to properly escape any HTML
      content to prevent  Cross-Site Scripting (XSS) attacks. In Go, the
      `text/template` package does  not automatically escape HTML content, which
      can leave your application  vulnerable to these types of attacks. To
      mitigate this risk, it's  recommended to use the `html/template` package
      instead, which provides  built-in functionality for HTML escaping. By
      using `html/template` to render  your HTML content, you can help to ensure
      that your web application is more  secure and less susceptible to XSS
      vulnerabilities.
    metadata:
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      references:
        - https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security
      category: security
      technology:
        - go
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    severity: WARNING
    patterns:
      - pattern: |
          import "$IMPORT"
      - metavariable-regex:
          metavariable: $IMPORT
          regex: ^(text/template)$
      - focus-metavariable: $IMPORT
    fix: |
      html/template
    languages:
      - go

Examples

import-text-template.go

// cf. https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security

package main

import (
  "net/http"
  // ruleid: import-text-template
  "text/template"
  "encoding/json"
  "io/ioutil"
  "os"
)

const tmpl = ""

type TodoPageData struct {
  PageTitle string
  Todos []Todo
}

type Todo struct {
  Title string "json:title"
  Done bool "json:done"
}

func (t Todo) ToString() string {
  bytes, _ := json.Marshal(t)
  return string(bytes)
}

func getTodos() []Todo {
  todos := make([]Todo, 3)
  raw, _ := ioutil.ReadFile("./todos.json")
  json.Unmarshal(raw, &todos)
  return todos

}

func main() {
  tmpl := template.Must(template.ParseFiles("index.html"))

  http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
      data := TodoPageData {
          PageTitle: "My Todos!",
          Todos: getTodos(),
      }

      tmpl.Execute(w, data)

  })

  http.ListenAndServe(":" + os.Getenv("PORT"), nil)
}