Improper neutralization of input during web page generation ('Cross-site Scripting')

• Rule ID: go_gosec_injection_template_injection
• Languages: go
• Source: template_injection.yml

Description

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to run malicious scripts in the context of a trusted web application. This can happen when an application includes untrusted data without proper validation or escaping. There are several contexts where XSS can occur, each requiring specific encoding strategies to mitigate the risk.

Remediations

To defend against XSS attacks, consider the following measures:

✅ Encode Based on Context

When user input is reflected back in HTML, ensure it is encoded based on the context in which it is used (e.g., HTML content, HTML attributes, JavaScript context, CSS context, etc.).

✅ Template Safely

Utilize templating engines that automatically encode data based on context, and be cautious not to override these safeguards.

✅ Sanitize Data

Use libraries or functions designed to sanitize user input, particularly when inserting content into a web page.

✅ Separate Data from Code

Avoid inline scripting and event handlers, and instead use separate JavaScript files to handle events. This reduces the risk of script injection through event attributes.

✅ Avoid Mixing Templating Systems

Do not mix server-side and client-side templating systems, as server-side systems may not escape output in a way that is safe for client-side use.

❌ Do Not Encode Before Storing

Avoid encoding user input before storing it in a database. The encoding should be applied when the data is output, not before storage, to ensure that it is encoded appropriately for its context.

Here's an example of using Go’s html/template package to safely render HTML content:

import (
    "html/template"
    "os"
    "log"
)

func main() {
    // Define a template with a function to safely render HTML
    testTemplate, err := template.New("testTemplate").Funcs(template.FuncMap{
        "SafeHTML": func() template.HTML {
            const safeHTML = "<div>hardcoded, safe html</div>"
            return template.HTML(safeHTML)
        },
    }).Parse(`<html><body>{{ SafeHTML }}</body></html>`)

    if err != nil {
        log.Fatal(err)
    }

    // Execute the template and ensure proper encoding
    if err := testTemplate.Execute(os.Stdout, nil); err != nil {
        log.Fatal(err)
    }
}

Resources

• OWASP XSS Prevention Cheat Sheet
• Go html/template Documentation
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_injection_template_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_injection_template_injection