sdk/golang/Standard Library/GoTemplate

GoTemplate

Represents html/template.Template and text/template.Template. Execute() and ExecuteTemplate() are XSS sinks when data contains unsanitized user input passed to text/template (not html/template).

3 sinks

Taint flow0 sources → 3 sinks

Sinks — dangerous call

.Execute()Renders template with data

.ExecuteTemplate()Renders named template

.Parse()Parses template text

Sinks

— dangerous functions taint must not reach

.Execute()Sink

Signature

Execute(wr io.Writer, data any) error

Renders template with data. XSS sink for text/template when data is user-controlled.

tracks:1

.ExecuteTemplate()Sink

Signature

ExecuteTemplate(wr io.Writer, name string, data any) error

Renders named template. Same XSS risk as Execute.

tracks:2

.Parse()Sink

Signature

Parse(text string) (*Template, error)

Parses template text. Server-side template injection if text is user-controlled.

tracks:0

Fully-Qualified Names

FQN	Field
html/template.Template	fqns[0]
text/template.Template	fqns[1]
*.Template	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoTemplate

Rules Using This Class

GO-XSS-003

← PreviousGoSyscallJs

Next →GoTesting