SYM_GO_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Writing user-controlled data directly to http.ResponseWriter using io.WriteString skips automatic HTML escaping, making it easy to introduce cross-site scripting (XSS) vulnerabilities. It's safer to use the html/template package, which properly escapes output before sending it to users.
Impact
If exploited, attackers can inject malicious scripts into web pages viewed by other users, leading to account hijacking, data theft, or unauthorized actions on behalf of users. This exposes your application and its users to serious security risks and possible regulatory violations.