Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Go: promote html-template-escaping-bypass-xss #19386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Go: promote html-template-escaping-bypass-xss #19386

wants to merge 21 commits into from

Conversation

owen-mc
Copy link
Contributor

@owen-mc owen-mc commented Apr 25, 2025
edited
Loading

Promoting this experimental XSS query.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 25, 2025
edited
Loading

QHelp previews:

go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.qhelp

HTML template escaping bypass cross-site scripting

In Go, the html/template package has a few special types (HTML, HTMLAttr, JS, JSStr, CSS, Srcset, and URL) that allow values to be rendered as-is in the template, avoiding the escaping that all the other strings go through.

Using them on user-provided values allows for a cross-site scripting vulnerability.

Recommendation

Make sure to never use those types on untrusted content.

Example

In the first example you can see the special types and how they are used in a template:

package main

import (
	"html/template"
	"net/http"
)

func bad(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	username := r.Form.Get("username")
	tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
	tmpl.Execute(w, template.HTML(username))
}

To avoid XSS, all user input should be a normal string type.

package main

import (
	"html/template"
	"net/http"
)

func good(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	username := r.Form.Get("username")
	tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
	tmpl.Execute(w, username)
}

owen-mc added 20 commits May 1, 2025 15:39
@owen-mc
Move files out of experimental (no changes)
5bce70f
@owen-mc
Update path in qlref and update test results
1530ac1
@owen-mc
Convert XSS tests to use inline expectations
1926ffd
@owen-mc
Change query id to go/html-template-escaping-bypass-xss
c2ebdf5
@owen-mc
Update query metadata
ca85f0b
@owen-mc
Refactor to use flow state instead of 3 flow configs (copilot)
ce4be6d
@owen-mc
Manually fix copilot's mistakes and get query working
4e5a865
@owen-mc
Tidy up test (remove duplicated main)
cbdbb03
@owen-mc
Refactor class for unescaped types
b90aba2
@owen-mc
Minor refactor - removed unused argument
7f007e1
@owen-mc
Improve QLDocs
3cce4ba
@owen-mc
Rename files
cba0bec
@owen-mc
Modernize tests
e6c19b0
@owen-mc
Add comment on importance of Function.getACall()
3b934b8
@owen-mc
Fix QLDoc
38dcc1c
@owen-mc
Add missing metadata
f879186
@owen-mc
Reword qhelp slightly
6e3b959
@owen-mc
Make examples in qhelp shorter and more realistic
00cc430
@owen-mc
Avoid deprecated function in qhelp examples in same folder
8283d30
@owen-mc
Add change note
bef38a4
@owen-mc owen-mc force-pushed the go/promote/html-template-escaping-bypass-xss branch from 896cf81 to bef38a4 Compare May 1, 2025 15:08
@owen-mc owen-mc marked this pull request as ready for review May 1, 2025 15:10
@owen-mc owen-mc requested a review from a team as a code owner May 1, 2025 15:10
smowton
smowton approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks plausible if QA shows good results in practice; minor optional wording quibbles.

go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
@@ -0,0 +1,119 @@
/**
* @name HTML template escaping bypass cross-site scripting
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* @name HTML template escaping bypass cross-site scripting
* @name Cross-site scripting via HTML template escaping bypass

go/ql/src/change-notes/2025-05-01-html-template-escaping-bypass-xss.md
---
category: newQuery
---
* A new query (`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the `html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in <https://github.com/github/codeql-go/pull/493>.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* A new query (`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the `html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in <https://github.com/github/codeql-go/pull/493>.
* Query (`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the `html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in <https://github.com/github/codeql-go/pull/493>.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smowton smowton smowton approved these changes

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@owen-mc @smowton