SYM_GO_0002 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Assigning raw user input directly to types like template.HTML, template.JS, or template.CSS in Go bypasses automatic escaping and can allow unsafe content into templates. This practice makes it easy for attackers to inject malicious scripts or code.
Impact
If exploited, this vulnerability can lead to cross-site scripting (XSS) attacks, allowing attackers to execute arbitrary JavaScript in users' browsers. This can result in data theft, account compromise, or malicious redirection, putting both users and the application at risk.