Missing sanitization of HTML template tags

Description

Failing to sanitize user input can allow attackers to inject HTML tags (like <script> tags) into the rendered template. This can lead to Cross-Site Scripting (XSS) attacks if the injected scripts are then executed.

Ensure user input is sanitized and, wherever possible, avoid rendering templates with raw user input.

Remediations

✅ Always sanitize user input before using it in a template

  safe := template.HTMLEscapeString(r.FormValue("xyz"))

✅ Prefer html/template to text/template when parsing and rendering a template

  import "html/template"

func good(w http.ResponseWriter, r *http.Request) {
t, _ = := template.New("something").Parse(r.FormValue("xyz"))
t.Execute(w, nil)
}

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_html_tag_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_html_tag_injection