Unsanitized user input in web page generation (XSS)

• Rule ID: go_gosec_injection_template_injection
• Languages: go
• Source: template_injection.yml

Description

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to run malicious scripts in the context of a trusted web application. This can happen when an application includes untrusted data without proper validation or escaping. There are several contexts where XSS can occur, each requiring specific encoding strategies to mitigate the risk.

Remediations

• Do encode user input based on the context it is used in, such as HTML content, HTML attributes, JavaScript, and CSS contexts. This helps prevent malicious scripts from being executed.

  html.EscapeString(userInput)

• Do use templating engines like html/template that automatically encode data based on its context.
• Do sanitize data using libraries or functions specifically designed for this purpose, especially when inserting content into a web page.
• Do separate data from code by avoiding inline scripting and event handlers. Use separate JavaScript files for event handling to minimize script injection risks.
• Do not mix server-side and client-side templating systems, as server-side systems may not escape output safely for client-side use.
• Do not encode user input before storing it in a database. Any encoding should be applied when the data is output, not before storage, to ensure that it is encoded appropriately for its context.

References

• OWASP XSS Prevention Cheat Sheet
• Go html/template Documentation

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_injection_template_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_injection_template_injection