Missing sanitization of HTML template tags

• Rule ID: go_lang_html_tag_injection
• Languages: go
• Source: html_tag_injection.yml

Description

When user input is not sanitized, attackers can inject HTML tags, such as <script> tags, into templates. This unsanitized input can lead to Cross-Site Scripting (XSS) attacks when the malicious scripts are executed.

Remediations

• Do sanitize user input before incorporating it into a template. This step is crucial to prevent XSS attacks.

  safe := template.HTMLEscapeString(r.FormValue("xyz"))

• Do use html/template instead of text/template for parsing and rendering templates. The html/template package automatically escapes inputs, providing an additional layer of security.

  import "html/template"
  
  func good(w http.ResponseWriter, r *http.Request) {
    t, _ := template.New("something").Parse(r.FormValue("xyz"))
    t.Execute(w, nil)
  }

References

• OWASP XSS Prevention Cheat Sheet

Associated CWE

• CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_html_tag_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_html_tag_injection