The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
302
303// TimeSince calculates the time interval and generate user-friendly string.
304func TimeSince(t time.Time, lang string) template.HTML {
305 return template.HTML(fmt.Sprintf(`<span class="time-since" title="%s">%s</span>`, t.Format(conf.Time.FormatLayout), timeSince(t, lang)))306}
307
308// Subtract deals with subtraction of all types of number.
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
142}
143
144func Str2HTML(raw string) template.HTML {
145 return template.HTML(markup.Sanitize(raw))146}
147
148// NewLine2br simply replaces "\n" to "<br>".
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
138}
139
140func Safe(raw string) template.HTML {
141 return template.HTML(raw)142}
143
144func Str2HTML(raw string) template.HTML {
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
429 c.Errorf(err, "encode image")
430 return
431 }
432 c.Data["QRCode"] = template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(buf.Bytes()))433
434 _ = c.Session.Set("twoFactorSecret", c.Data["TwoFactorSecret"])
435 _ = c.Session.Set("twoFactorURL", key.String())
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
188 for i := 0; i < len(lines); i++ {
189 output.WriteString(fmt.Sprintf(`<span id="L%d">%d</span>`, i+1, i+1))
190 }
191 c.Data["LineNums"] = gotemplate.HTML(output.String())192 }
193
194 if canEnableEditor {
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
182 for index, line := range lines {
183 output.WriteString(fmt.Sprintf(`<li class="L%d" rel="L%d">%s</li>`, index+1, index+1, gotemplate.HTMLEscapeString(strings.TrimRight(line, "\r"))) + "\n")
184 }
185 c.Data["FileContent"] = gotemplate.HTML(output.String())186
187 output.Reset()
188 for i := 0; i < len(lines); i++ {
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
33
34// ComputedInlineDiffFor computes inline diff for the given line.
35func (s *DiffSection) ComputedInlineDiffFor(line *git.DiffLine) template.HTML {
36 fallback := template.HTML(html.EscapeString(line.Content)) 37 if conf.Git.DisableDiffHighlight {
38 return fallback
39 }
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
106 }
107 }
108
109 return template.HTML(buf.Bytes())110}
111
112// DiffFile is a wrapper to git.DiffFile with helper methods.
The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.
55 return time.Now().Year()
56 },
57 "Str2HTML": func(raw string) template.HTML {
58 return template.HTML(markup.Sanitize(raw)) 59 },
60 }},
61 }
Description
Potential unescaped data in HTML template.
Do not use external values in the template without escaping as it will not auto-escape HTML and could lead to code injection attacks.
Recommendations:
template.JS
: Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.template.HTML
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.HTMLAttr
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.URL
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
Bad practice
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// Tainted untrusted JSON
a := `{"name": "untrusted"}`
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(a),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
Recommended
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// We assume that hardcoded template strings are safe as the programmer would
// need to be explicitly shooting themselves in the foot (as below)
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(`{"name": "trusted"}`),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}