go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag
semgrep
Author
6,305
Download Count*
License
Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.
Run Locally
Run in CI
Defintion
rules:
- id: no-interpolation-in-tag
message: Detected template variable interpolation in an HTML tag. This is
potentially vulnerable to cross-site scripting (XSS) attacks because a
malicious actor has control over HTML but without the need to use escaped
characters. Use explicit tags instead.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://github.com/golang/go/issues/19669
- https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/
category: security
technology:
- generic
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
severity: WARNING
paths:
include:
- "*.html"
- "*.thtml"
- "*.gohtml"
- "*.tmpl"
- "*.tpl"
pattern: <{{ ... }} ... >
Examples
no-interpolation-in-tag.html
<h4>From: {{.from_email}}</h4>
<h4>To: {{.recipient}}</h4>
<h4>Subject: {{.subject}}</h4>
<div class="email" style="display: block;">
<!-- ok:no-interpolation-in-tag -->
{{.message}}
</div>
<div class="email-text" style="display: none;">
<!-- ok:no-interpolation-in-tag -->
<pre>{{.body}}</pre>
<a href="https://example.com/">
<!-- ruleid:no-interpolation-in-tag -->
<{{.HeaderSize}} class="upper">
{{.link_text}}
</{{.HeaderSize}}>
<!-- ruleid:no-interpolation-in-tag -->
<{{.HeaderSize}}
class="lower"
style="font-size: 1.5em"
>
{{.paragraph_text}}
</{{.HeaderSize}}>
</a>
</div>
<hr>
Short Link: https://sg.run/LwJJ