go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string
Community Favorite
semgrep
Author
10,103
Download Count*
License
Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.
Run Locally
Run in CI
Defintion
rules:
- id: no-interpolation-js-template-string
message: Detected template variable interpolation in a JavaScript template
string. This is potentially vulnerable to cross-site scripting (XSS)
attacks because a malicious actor has control over JavaScript but without
the need to use escaped characters. Instead, obtain this variable outside
of the template string and ensure your template is properly escaped.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://github.com/golang/go/issues/9200#issuecomment-66100328
- https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/
category: security
technology:
- generic
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
severity: WARNING
paths:
include:
- "*.html"
- "*.thtml"
- "*.gohtml"
- "*.tmpl"
- "*.tpl"
patterns:
- pattern-inside: <script ...> ... ... ... ... ... </script>
- pattern: "` ... {{ ... }} ...`"
Examples
no-interpolation-js-template-string.html
<h4>From: {{.from_email}}</h4>
<h4>To: {{.recipient}}</h4>
<h4>Subject: {{.subject}}</h4>
<div class="email" style="display: block;">
<!-- ok:no-interpolation-js-template-string -->
{{.message}}
</div>
<div class="email-text" style="display: none;">
<!-- ok:no-interpolation-js-template-string -->
<pre>{{.body}}</pre>
<a href="https://example.com/">
<h2 class="upper">
<!-- ok:no-interpolation-js-template-string -->
{{.link_text}}
</h2>
</a>
</div>
<hr>
<script>
// ruleid:no-interpolation-js-template-string
var x = `hello {{.recipient}}`;
</script>
Short Link: https://sg.run/8yl7