- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/unescape-template-data-js
Language: Go
Severity: Info
Category: Security
CWE: 79
Not escaping user input data and injecting them directly into an HTML template can lead to several vulnerabilities, including:
To mitigate these vulnerabilities, it is crucial to properly escape user input data before inserting them into HTML templates. The process of escaping involves replacing characters that have special meaning in HTML (such as <
, >
, "
, '
, &
) with their respective HTML entities. This ensures that user input is treated as data rather than executable code.
Go provides built-in functions like html/template
or text/template
that handle proper escaping of user input. By using these functions correctly, you can mitigate the risks of XSS, HTML injection, and content spoofing vulnerabilities.
Remember, when it comes to user input, it is always essential to validate and sanitize the data on the server-side as well. Proper input validation and output escaping should be applied consistently to ensure the security and integrity of your web applications.
func xss1Handler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
/* template.HTML is a vulnerable function */
data := make(map[string]interface{})
if r.Method == "GET" {
term := r.FormValue("term")
if util.CheckLevel(r) { // level = high
term = HTMLEscapeString(term)
}
if term == "sql injection" {
term = "sqli"
}
term = removeScriptTag(term)
vulnDetails := GetExp(term)
notFound := fmt.Sprintf("<b><i>%s</i></b> not found", term)
value := fmt.Sprintf("%s", term)
if term == "" {
data["term"] = ""
} else if vulnDetails == "" {
data["value"] = template.HTML(value)
data["term"] = template.HTML(notFound) // vulnerable function
} else {
vuln := fmt.Sprintf("<b>%s</b>", term)
data["value"] = template.HTML(value)
data["term"] = template.HTML(vuln)
data["details"] = vulnDetails
}
}
data["title"] = "Cross Site Scripting"
util.SafeRender(w, r, "template.xss1", data)
}
func main() {
tmpl = fmt.Sprintf("something: %s", someData)
template.JS(tmpl)
return template.JS(tmpl)
if something {
return template.JS(tmpl)
}
}
func main() {
tmpl := fmt.Sprintf("something: %s", someData)
return template.JS(tmpl)
}
func main() {
tmpl := "<html><body><title>" + injection + "</title></html>"
return template.JS(tmpl)
}
func main() {
tmpl := "<html><body><title> Safe HTML </title></html>"
return template.JS(tmpl)
}