SYM_GO_0030 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Writing user data directly to http.ResponseWriter using printf-style functions skips HTML escaping, leaving your application vulnerable to cross-site scripting (XSS). Instead, use Go's html/template package to safely render dynamic content.
Impact
If exploited, an attacker could inject malicious scripts into your web pages, allowing them to steal user data, hijack sessions, or deface your site. This can compromise user trust and the security of your application and its users.