Avoid feeding request data into trusted template types | Critiq Docs

#Metadata

Rule ID: go.security.template-unescaped-request-value
Severity: high
Confidence: 0.8
Languages: go
Presets: security, strict
Stability: experimental
Applies to: block
Tags: go, rules-catalog, security, templates

#Why it matters

Trusted template types disable escaping and turn reflected input into cross-site scripting when executed in browsers.

#Remediation

Run untrusted strings through an HTML sanitizer such as bluemonday, prefer typed templates, or keep data in plain escaped fields.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.template-unescaped-request-value.rule.yaml.

Back to directory Open rule in repository