Go template.HTMLAttr XSS Vulnerability

// SECURE: Auto-escaping with structured templates
type ElementData struct {
    Class string
    ID    string
    Title string
}

var safeTemplate = template.Must(template.New("element").Parse(`
<div class="{{.Class}}" id="{{.ID}}" title="{{.Title}}">Content</div>
`))

func safeHandler(w http.ResponseWriter, r *http.Request) {
    data := ElementData{
        Class: validateClass(r.URL.Query().Get("class")),
        ID:    validateID(r.URL.Query().Get("id")),
        Title: r.URL.Query().Get("title"), // Auto-escaped
    }
    safeTemplate.Execute(w, data)
}

// Strict validation functions
func validateClass(class string) string {
    allowedClasses := map[string]bool{
        "primary":   true,
        "secondary": true,
        "success":   true,
        "danger":    true,
        "warning":   true,
        "info":      true,
    }
    
    clean := strings.TrimSpace(strings.ToLower(class))
    if allowedClasses[clean] {
        return clean
    }
    return "default" // Safe fallback
}

func validateID(id string) string {
    // Only allow alphanumeric, hyphen, underscore
    re := regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)
    if re.MatchString(id) && len(id) <= 50 {
        return id
    }
    return "" // Invalid ID becomes empty
}

// SECURE: Only use HTMLAttr with constants
func getButtonClass(userChoice string) template.HTMLAttr {
    switch validateClass(userChoice) {
    case "primary":
        return template.HTMLAttr(`class="btn btn-primary"`)
    case "secondary":
        return template.HTMLAttr(`class="btn btn-secondary"`)
    case "danger":
        return template.HTMLAttr(`class="btn btn-danger"`)
    default:
        return template.HTMLAttr(`class="btn btn-default"`)
    }
}

func conditionalHandler(w http.ResponseWriter, r *http.Request) {
    buttonClass := getButtonClass(r.URL.Query().Get("type"))
    
    tmpl := template.Must(template.New("button").Parse(`
        <button {{.ButtonClass}}>Click Me</button>
    `))
    
    tmpl.Execute(w, map[string]interface{}{
        "ButtonClass": buttonClass,
    })
}

// Attribute sanitization
func sanitizeTitle(title string) string {
    // Remove dangerous characters
    title = strings.TrimSpace(title)
    if len(title) > 100 {
        title = title[:100]
    }
    
    // Remove quotes, brackets, and script-like content
    dangerous := regexp.MustCompile(`[<>'"&(){}\[\]]`)
    title = dangerous.ReplaceAllString(title, "")
    
    // Remove javascript: and data: schemes
    schemes := regexp.MustCompile(`(?i)(javascript|data|vbscript):`)
    title = schemes.ReplaceAllString(title, "")
    
    return title
}

func safeAttributeHandler(w http.ResponseWriter, r *http.Request) {
    title := sanitizeTitle(r.URL.Query().Get("title"))
    
    data := struct{ Title string }{Title: title}
    template.Must(template.New("safe").Parse(`
        <div title="{{.Title}}">Safe content</div>
    `)).Execute(w, data)
}

// CSP headers for additional protection
func addSecurityHeaders(w http.ResponseWriter) {
    // Prevent inline scripts and styles
    w.Header().Set("Content-Security-Policy",
        "default-src 'self'; "+
        "script-src 'self' 'unsafe-eval'; "+ // Remove unsafe-eval in production
        "style-src 'self' 'unsafe-inline'; "+
        "img-src 'self' data:; "+
        "connect-src 'self'; "+
        "frame-ancestors 'none'")
    
    w.Header().Set("X-Content-Type-Options", "nosniff")
    w.Header().Set("X-Frame-Options", "DENY")
    w.Header().Set("X-XSS-Protection", "1; mode=block")
}

func secureHandler(w http.ResponseWriter, r *http.Request) {
    addSecurityHeaders(w)
    
    // Safe template rendering
    data := struct{ UserClass string }{
        UserClass: validateClass(r.URL.Query().Get("class")),
    }
    template.Must(template.New("secure").Parse(`
        <div class="{{.UserClass}}">Secure content</div>
    `)).Execute(w, data)
}