You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create a rule to detect the usage of insecure tmplate.HTML, CSS, HTMLAttr, JS, JSStr, Sercset types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.
ccojocar
changed the title
Add a rule to catch the usage of insecure template.HTML/CSS/
Add a rule to catch the usage of insecure template.HTML/CSS...
Jun 25, 2020
To be fair assigning a string literal to template.JS and template.CSS might be acceptable. This is not true for template.HTML and it is definitely not true for any string that is not a literal.
Summary
Create a rule to detect the usage of insecure tmplate.HTML, CSS, HTMLAttr, JS, JSStr, Sercset types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.
Also see this discussion https://twitter.com/empijei/status/1275177219011350528
Steps to reproduce the behavior
gosec version
Go version (output of 'go version')
Operating system / Environment
Expected behavior
Actual behavior
The text was updated successfully, but these errors were encountered: