usage of insecure template types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML. Likelihood: LOW Confidence: LOW CWE: - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP: - A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
go-ssti
A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. When using “html/template” always check that user inputs are validated and sanitized before included within the template. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine