go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag

profile photo of semgrepsemgrep
Author
6,305
Download Count*
LGPL Commons Clause
License

Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: no-interpolation-in-tag
    message: Detected template variable interpolation in an HTML tag. This is
      potentially vulnerable to cross-site scripting (XSS) attacks because a
      malicious actor has control over HTML but without the need to use escaped
      characters. Use explicit tags instead.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://github.com/golang/go/issues/19669
        - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/
      category: security
      technology:
        - generic
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - generic
    severity: WARNING
    paths:
      include:
        - "*.html"
        - "*.thtml"
        - "*.gohtml"
        - "*.tmpl"
        - "*.tpl"
    pattern: <{{ ... }} ... >

Examples

no-interpolation-in-tag.html

<h4>From: {{.from_email}}</h4>
<h4>To: {{.recipient}}</h4>
<h4>Subject: {{.subject}}</h4>
<div class="email" style="display: block;">
    <!-- ok:no-interpolation-in-tag -->
    {{.message}}
</div>
<div class="email-text" style="display: none;">
    <!-- ok:no-interpolation-in-tag -->
    <pre>{{.body}}</pre>
    <a href="https://example.com/">
        <!-- ruleid:no-interpolation-in-tag -->
        <{{.HeaderSize}} class="upper">
            {{.link_text}}
        </{{.HeaderSize}}>

        <!-- ruleid:no-interpolation-in-tag -->
        <{{.HeaderSize}}
            class="lower"
            style="font-size: 1.5em"
        >
            {{.paragraph_text}}
        </{{.HeaderSize}}>

    </a>
</div>
<hr>