Cross-site scripting (XSS) from URL query data in ResponseWriter formatting in net/http handler

High Risk cross-site-scripting
gonet/httpresponsewriterprintfxssweb

What it is

XSS vulnerability in Go net/http applications where untrusted URL query parameters are formatted into HTTP responses using fmt.Printf-style functions without HTML escaping, allowing raw HTML/JavaScript injection that can execute attacker-controlled scripts in user browsers.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

URL query parameters are directly inserted into HTTP responses without HTML escaping.

Root causes

Unescaped URL Query Parameters

URL query parameters are directly inserted into HTTP responses without HTML escaping.

Printf-Style Response Formatting

Using fmt.Printf-style functions to format HTTP responses bypasses HTML safety mechanisms.

Fixes

1

Use html/template for Responses

Use Go's html/template package which automatically escapes data to prevent XSS attacks.

2

Manual HTML Escaping

For raw string responses, manually escape untrusted values with html.EscapeString before writing.

3

Use JSON for API Responses

For API endpoints, serialize data as JSON which is safe from HTML injection.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site scripting (xss) from url query data in responsewriter formatting in net/http handler and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities