Do not bypass HTML escaping with ResponseWriter
ID: go-security/responsewriter-no-fprintf
Language: Go
Severity: Warning
Category: Security
CWE: 79
Description
Using fmt.Fprintf
on a http.ResponseWriter
can potentially introduce security issues and cross-site scripting (XSS) vulnerabilities if not handled carefully. When using fmt.Fprintf
, there is a risk of inadvertently including untrusted data in the response body without properly escaping or sanitizing it. This can allow an attacker to inject malicious code into the response, which can then be executed in the context of other users accessing the page, leading to XSS attacks.
To prevent security issues and XSS vulnerabilities when writing to a http.ResponseWriter
, developers should:
- Properly escape and sanitize any user-generated or untrusted data before writing it to the response body. HTML-encode all user input to prevent script injection.
- Use the
html/template
package in Go to safely interpolate dynamic content into HTML templates. - Avoid using
fmt.Fprintf
directly to write data to the response body when dealing with untrusted input. Instead, prefer using methods like WriteHeader
and Write
from http.ResponseWriter
to prevent unintended data insertion. - Implement Content Security Policy (CSP) headers to restrict the execution of scripts and mitigate the impact of potential XSS attacks.
By following these best practices and being cautious about how data is written to a http.ResponseWriter
, developers can reduce the risk of security vulnerabilities and better protect their web applications from potential XSS attacks.
Non-Compliant Code Examples
func my_controller(anotherArgument myType1, responseWriter http.ResponseWriter, anotherArgument myType2) {
fmt.Fprintf(responseWriter, "foo %s", something);
}