Cross-site scripting (XSS) via printf in http.ResponseWriter.Write output

High Risk cross-site-scripting
gonet/httpprintfresponsewriterxssweb

What it is

XSS vulnerability in Go net/http applications where fmt.Printf output is written to http.ResponseWriter without HTML escaping, rendering user-controlled data directly into pages and allowing malicious scripts to execute in user browsers.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

fmt.Printf or fmt.Sprintf output containing user data is written to ResponseWriter without escaping.

Root causes

Printf Output to ResponseWriter

fmt.Printf or fmt.Sprintf output containing user data is written to ResponseWriter without escaping.

Lack of HTML Escaping

Printf-formatted output bypasses HTML safety mechanisms and renders raw content.

Fixes

1

Use html/template for Response Rendering

Replace printf writes with html/template.Template and Execute for automatic HTML escaping.

2

Manual HTML Escaping with template.HTMLEscapeString

Escape user data with template.HTMLEscapeString before using in printf-style formatting.

3

Use JSON for Structured Data

For API responses, use JSON encoding which is safe from HTML injection attacks.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site scripting (xss) via printf in http.responsewriter.write output and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities