[codeql-go]: Add CWE-79: HTML template escaping passthrough

## Query

This query is going to be merged into the [codeql-go](https://github.com/github/codeql-go) repository through this PR: https://github.com/github/codeql-go/pull/493

## CVE ID(s)

No CVEs, yet.

## Report

**Short summary**

This query finds cases where an (html) template is executed using user-provided values that were converted to types that allow completely avoiding the escaping that (normally) values would undergo in the HTML template execution.

**Longer summary**

Go has a package from the standard library for safely creating and handling HTML templates: `html/template`

Normally, any value provided to a template from the `html/template` package would be sensibly escaped to avoid any possible XSS.

Example:

```golang
package main

import (
	"html/template"
	"os"
)

func main() {
	tmpl, _ := template.New("test").Parse(`<div>Hello, <b>{{.}}</b></div>`)

	{ // This will be correctly escaped:
		var escaped = `<img src="example.gif" onload="alert(document.cookie)" width="100" height="132">`
		tmpl.Execute(os.Stdout, escaped)
	}
}

```

will render to

```html
<div>Hello, <b>&lt;img src=&#34;example.gif&#34; onload=&#34;alert(document.cookie)&#34; width=&#34;100&#34; height=&#34;132&#34;&gt;</b></div>
```

However, there are a few special types ([HTML](https://pkg.go.dev/html/template#HTML), [HTMLAttr](https://pkg.go.dev/html/template#HTMLAttr), [JS](https://pkg.go.dev/html/template#JS), [JSStr](https://pkg.go.dev/html/template#JSStr), [CSS](https://pkg.go.dev/html/template#CSS), [Srcset](https://pkg.go.dev/html/template#Srcset), and [URL](https://pkg.go.dev/html/template#URL)) that allow values to avoid being escaped.

Example:

```golang
package main

import (
	"html/template"
	"os"
)

func main() {
	tmpl, _ := template.New("test").Parse(`<div>Hello, <b>{{.}}</b></div>`)

	{
		// This will render any provided HTML.
		var passthrough = template.HTML(`<img src="example.gif" onload="alert(document.cookie)" width="100" height="132">`)
		tmpl.Execute(os.Stdout, passthrough)
	}
}

```

will render to

```html
<div>Hello, <b><img src="example.gif" onload="alert(document.cookie)" width="100" height="132"></b></div>
```

In essence, converting anything that is user-provided to one of the above types makes an application potentially vulnerable to XSS.

- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*

No, I'm not planning on discussing this vulnerability submission publicly.


## Result(s)

*Provide at least one useful result found by your query, on some revision of a real project.*

- [Values from `r.Form` are converted to `template.HTML` and used in a template](https://lgtm.com/projects/g/GwynethLlewelyn/gobot/snapshot/6a5d0f61112bc608795600e208ee6e3dfe7c16c1/files/backoffice.go#x10b58df405fb6c64:1)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[codeql-go]: Add CWE-79: HTML template escaping passthrough #306

Query

CVE ID(s)

Report

Result(s)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[codeql-go]: Add CWE-79: HTML template escaping passthrough #306

Description

Query

CVE ID(s)

Report

Result(s)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions