Go User Input As Safe Type
Description
Identifies Cross-Site Scripting (XSS) vulnerabilities in Go HTML templates where user input is handled unsafely. The security risk occurs when untrusted user content is embedded in HTML templates without proper escaping, allowing potential injection of malicious scripts.
Detection Strategy
• Identifies Go template function calls that handle user content
• Checks if user-controlled input data flows into these template functions
• Reports a vulnerability when user input is passed to templates without proper HTML escaping
• Specifically monitors template operations that could render unescaped HTML content
Vulnerable code example
package main
import (
"html/template"
"net/http"
)
func vulnerableHandler(w http.ResponseWriter, r *http.Request) {...✅ Secure code example
package main
import (
"html/template"
"net/http"
)
func safeHandler(w http.ResponseWriter, r *http.Request) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.