Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description#

Directly writing user input to http.ResponseWriter without proper HTML escaping can introduce cross-site scripting (XSS) vulnerabilities. Instead, use Go’s ‘html/template’ package to safely render user data in responses.

Impact#

If exploited, attackers could inject malicious scripts into your web pages, leading to theft of user data, session hijacking, or manipulation of site content. This can compromise user trust and expose your application to regulatory and reputational risks.