go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string

Community Favorite
profile photo of semgrepsemgrep
Author
10,103
Download Count*
LGPL Commons Clause
License

Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: no-interpolation-js-template-string
    message: Detected template variable interpolation in a JavaScript template
      string. This is potentially vulnerable to cross-site scripting (XSS)
      attacks because a malicious actor has control over JavaScript but without
      the need to use escaped characters. Instead, obtain this variable outside
      of the template string and ensure your template is properly escaped.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://github.com/golang/go/issues/9200#issuecomment-66100328
        - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/
      category: security
      technology:
        - generic
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - generic
    severity: WARNING
    paths:
      include:
        - "*.html"
        - "*.thtml"
        - "*.gohtml"
        - "*.tmpl"
        - "*.tpl"
    patterns:
      - pattern-inside: <script ...> ... ... ... ... ... </script>
      - pattern: "` ... {{ ... }} ...`"

Examples

no-interpolation-js-template-string.html

<h4>From: {{.from_email}}</h4>
<h4>To: {{.recipient}}</h4>
<h4>Subject: {{.subject}}</h4>
<div class="email" style="display: block;">
    <!-- ok:no-interpolation-js-template-string -->
    {{.message}}
</div>
<div class="email-text" style="display: none;">
    <!-- ok:no-interpolation-js-template-string -->
    <pre>{{.body}}</pre>
    <a href="https://example.com/">
        <h2 class="upper">
            <!-- ok:no-interpolation-js-template-string -->
            {{.link_text}}
        </h2>
    </a>
</div>
<hr>

<script>
// ruleid:no-interpolation-js-template-string
var x = `hello {{.recipient}}`;
</script>