Do not bypass HTML escaping with ResponseWriter

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: go-security/responsewriter-no-fprintf

Language: Go

Severity: Warning

Category: Security

CWE: 79

Description

Using fmt.Fprintf on a http.ResponseWriter can potentially introduce security issues and cross-site scripting (XSS) vulnerabilities if not handled carefully. When using fmt.Fprintf, there is a risk of inadvertently including untrusted data in the response body without properly escaping or sanitizing it. This can allow an attacker to inject malicious code into the response, which can then be executed in the context of other users accessing the page, leading to XSS attacks.

To prevent security issues and XSS vulnerabilities when writing to a http.ResponseWriter, developers should:

  1. Properly escape and sanitize any user-generated or untrusted data before writing it to the response body. HTML-encode all user input to prevent script injection.
  2. Use the html/template package in Go to safely interpolate dynamic content into HTML templates.
  3. Avoid using fmt.Fprintf directly to write data to the response body when dealing with untrusted input. Instead, prefer using methods like WriteHeader and Write from http.ResponseWriter to prevent unintended data insertion.
  4. Implement Content Security Policy (CSP) headers to restrict the execution of scripts and mitigate the impact of potential XSS attacks.

By following these best practices and being cautious about how data is written to a http.ResponseWriter, developers can reduce the risk of security vulnerabilities and better protect their web applications from potential XSS attacks.

Non-Compliant Code Examples

func my_controller(anotherArgument myType1, responseWriter http.ResponseWriter, anotherArgument myType2) {
    fmt.Fprintf(responseWriter, "foo %s", something);
}

Compliant Code Examples

func my_controller(responseWriter http.ResponseWriter, request *http.Request) {
    // Safe: using html/template for proper escaping
    tmpl := template.Must(template.ParseFiles("template.html"))
    tmpl.Execute(responseWriter, data)
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security