Security
go-insecure-templates
go-insecure-templates
usage of insecure template types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
go-ssti
go-ssti
A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. When using “html/template” always check that user inputs are validated and sanitized before included within the template.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine