Audit the usage of unescaped data in HTML templates GSC-G203
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
188 for i := 0; i < len(lines); i++ {
189 output.WriteString(fmt.Sprintf(`<span id="L%d">%d</span>`, i+1, i+1))
190 }
191 c.Data["LineNums"] = gotemplate.HTML(output.String())192 }
193
194 if canEnableEditor {The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
182 for index, line := range lines {
183 output.WriteString(fmt.Sprintf(`<li class="L%d" rel="L%d">%s</li>`, index+1, index+1, gotemplate.HTMLEscapeString(strings.TrimRight(line, "\r"))) + "\n")
184 }
185 c.Data["FileContent"] = gotemplate.HTML(output.String())186
187 output.Reset()
188 for i := 0; i < len(lines); i++ {The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
138}
139
140func Safe(raw string) template.HTML {
141 return template.HTML(raw)142}
143
144func Str2HTML(raw string) template.HTML {The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
142}
143
144func Str2HTML(raw string) template.HTML {
145 return template.HTML(markup.Sanitize(raw))146}
147
148// NewLine2br simply replaces "\n" to "<br>".The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
302
303// TimeSince calculates the time interval and generate user-friendly string.
304func TimeSince(t time.Time, lang string) template.HTML {
305 return template.HTML(fmt.Sprintf(`<span class="time-since" title="%s">%s</span>`, t.Format(conf.Time.FormatLayout), timeSince(t, lang)))306}
307
308// Subtract deals with subtraction of all types of number.
Description
Potential unescaped data in HTML template.
Do not use external values in the template without escaping as it will not auto-escape HTML and could lead to code injection attacks.
Recommendations:
template.JS: Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.template.HTML: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.HTMLAttr: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.URL: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
Bad practice
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// Tainted untrusted JSON
a := `{"name": "untrusted"}`
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(a),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
Recommended
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// We assume that hardcoded template strings are safe as the programmer would
// need to be explicitly shooting themselves in the foot (as below)
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(`{"name": "trusted"}`),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}