Unsanitized user input in web page generation (XSS)
- Rule ID: go_gosec_injection_template_injection
- Languages: go
- Source: template_injection.yml
Description
Cross-Site Scripting (XSS) is a vulnerability that allows attackers to run malicious scripts in the context of a trusted web application. This can happen when an application includes untrusted data without proper validation or escaping. There are several contexts where XSS can occur, each requiring specific encoding strategies to mitigate the risk.
Remediations
- Do encode user input based on the context it is used in, such as HTML content, HTML attributes, JavaScript, and CSS contexts. This helps prevent malicious scripts from being executed.
html.EscapeString(userInput)
- Do use templating engines like
html/template
that automatically encode data based on its context. - Do sanitize data using libraries or functions specifically designed for this purpose, especially when inserting content into a web page.
- Do separate data from code by avoiding inline scripting and event handlers. Use separate JavaScript files for event handling to minimize script injection risks.
- Do not mix server-side and client-side templating systems, as server-side systems may not escape output safely for client-side use.
- Do not encode user input before storing it in a database. Any encoding should be applied when the data is output, not before storage, to ensure that it is encoded appropriately for its context.
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_injection_template_injection
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_injection_template_injection