Do not bypass HTML escaping with ResponseWriter

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: go-security/responsewriter-no-fprintf

Language: Go

Severity: Warning

Category: Security

CWE: 79

Description

Using fmt.Fprintf on a http.ResponseWriter can potentially introduce security issues and cross-site scripting (XSS) vulnerabilities if not handled carefully. When using fmt.Fprintf, there is a risk of inadvertently including untrusted data in the response body without properly escaping or sanitizing it. This can allow an attacker to inject malicious code into the response, which can then be executed in the context of other users accessing the page, leading to XSS attacks.

To prevent security issues and XSS vulnerabilities when writing to a http.ResponseWriter, developers should:

  1. Properly escape and sanitize any user-generated or untrusted data before writing it to the response body. HTML-encode all user input to prevent script injection.
  2. Use the html/template package in Go to safely interpolate dynamic content into HTML templates.
  3. Avoid using fmt.Fprintf directly to write data to the response body when dealing with untrusted input. Instead, prefer using methods like WriteHeader and Write from http.ResponseWriter to prevent unintended data insertion.
  4. Implement Content Security Policy (CSP) headers to restrict the execution of scripts and mitigate the impact of potential XSS attacks.

By following these best practices and being cautious about how data is written to a http.ResponseWriter, developers can reduce the risk of security vulnerabilities and better protect their web applications from potential XSS attacks.

Non-Compliant Code Examples

func my_controller(anotherArgument myType1, responseWriter http.ResponseWriter, anotherArgument myType2) {
    fmt.Fprintf(responseWriter, "foo %s", something);
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: antoine.dussault/service-representation-ga-docs-us1