sdk/golang/Standard Library/GoHTMLTemplate

GoHTMLTemplate

html/template package — the safe version of text/template. Auto-escapes context-appropriately. HTML(), JS(), URL() types are escape bypasses when used with user input.

3 sinks

Taint flow0 sources → 3 sinks

Sinks — dangerous call

.HTML()Marks string as safe HTML — bypasses auto-escaping

.JS()Marks string as safe JavaScript — bypasses auto-escaping

.URL()Marks string as safe URL — bypasses sanitization

Sinks

— dangerous functions taint must not reach

.HTML()Sink

Signature

HTML(string)

Marks string as safe HTML — bypasses auto-escaping. XSS sink when value is user-controlled.

tracks:0

.JS()Sink

Signature

JS(string)

Marks string as safe JavaScript — bypasses auto-escaping. XSS sink.

tracks:0

.URL()Sink

Signature

URL(string)

Marks string as safe URL — bypasses sanitization. Open redirect sink.

tracks:0

Fully-Qualified Names

FQN	Field
html/template	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoHTMLTemplate

Rules Using This Class

GO-XSS-002

← PreviousGoGobDecoder

Next →GoHTTPClient