Rule | Description | Example | KPI |
---|---|---|---|
G203-UseOfUnescapedDataInHTMLTemplates | Use of unescaped data in HTML templates. Package template (html/template) implements data-driven templates for generating HTML output safe against code injection. It provides the same interface as package text/template and should be used instead of text/template whenever the output is HTML. "html/template" provides automatic, context-sensitive escaping safe against code injection.HTML templates treat data values as plain text which should be encoded so they can be safely embedded in an HTML document. The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.If the output is not HTML, use text/template instead which does not escape data. | "import ""html/template"" func unescape(s string) template.HTML { return template.HTML(s) }" | Security |