Skip to content
unfault

go.unsafe_template

Security Critical

Detects unsafe HTML template usage that can lead to cross-site scripting (XSS) vulnerabilities.

Why It Matters

Section titled “Why It Matters”

Unsafe templates enable:

  • XSS attacks — Attackers inject malicious scripts
  • Session hijacking — Stolen cookies and tokens
  • Data theft — Access to sensitive page content
  • Malware distribution — Redirects to malicious sites

Example

Section titled “Example”
// ❌ Before (unsafe - uses text/template)
import "text/template"


func handler(w http.ResponseWriter, r *http.Request) {
    name := r.URL.Query().Get("name")
    t := template.New("page")
    t.Parse(`<h1>Hello {{.}}</h1>`)
    t.Execute(w, name) // XSS if name contains <script>
}
// ✅ After (safe - uses html/template)
import "html/template"


func handler(w http.ResponseWriter, r *http.Request) {
    name := r.URL.Query().Get("name")
    t := template.New("page")
    t.Parse(`<h1>Hello {{.}}</h1>`)
    t.Execute(w, name) // Auto-escaped
}

What Unfault Detects

Section titled “What Unfault Detects”
  • text/template used for HTML output
  • template.HTML() with user input
  • template.JS() with user input
  • Missing auto-escaping in templates

Auto-Fix

Section titled “Auto-Fix”

Unfault generates patches that switch to html/template:

// Change import
import "html/template" // NOT "text/template"
Section titled “Related Rules”