- Description: An attacker provides malicious input containing JavaScript code within an HTML attribute value (e.g.,
href,src,onclick,style,onmouseover, etc.). The attacker crafts a specially formed URL or form submission that includes this malicious input. Whenelemefe/elementuses this unescaped input to construct the HTML, the attacker's script is injected into the page. When a victim user views the page, the injected script executes in their browser.- Impact:
- Session Hijacking: The attacker's script can steal the victim's session cookies, allowing the attacker to impersonate the victim.
- Data Theft: The script can access and exfiltrate sensitive data displayed on the page or stored in the browser's local storage.
- Website Defacement: The script can modify the content of the page, displaying false information or redirecting the user to a malicious website.
- Malware Distribution: The script can attempt to download and execute malware on the victim's machine.
- Phishing: The script can present fake login forms to steal user credentials.
- Affected Component: The
element.Newfunction (and any other functions that acceptelement.Attributes) when used with user-supplied data for attribute values without prior escaping. Specifically, any code path where anelement.Attributesmap is populated with untrusted data. - Risk Severity: Critical
- Mitigation Strategies:
- Input Validation: Validate all user input to ensure it conforms to the expected data type and format (e.g., URLs should be valid URLs, numbers should be numbers). Reject any input that doesn't match.
- Attribute-Specific Escaping: Use a dedicated HTML attribute escaping library (like Go's
html/templateor a specialized attribute encoder) to escape all user-supplied data before inserting it into attribute values. Different attributes require different escaping rules. For example,url.QueryEscapeis suitable for URL query parameters, but not for the entirehrefattribute.html/templatehandles this contextually. - Content Security Policy (CSP): Implement a strict CSP to limit the sources from which scripts can be loaded and executed. This provides a defense-in-depth mechanism even if escaping fails.
- Avoid Dynamic Attributes (If Possible): If the set of attributes is known and limited, prefer hardcoding them rather than dynamically generating them from user input.
- Impact:
- Description: An attacker provides malicious input containing HTML tags and JavaScript code intended to be used as the text content of an HTML element. The attacker submits this input through a form or other input mechanism.
elemefe/elementuses this unescaped input as the text content (the third argument toelement.New). When the page is rendered, the browser interprets the injected HTML and executes the embedded JavaScript.- Impact: (Same as Attribute-Based XSS - Session Hijacking, Data Theft, Website Defacement, Malware Distribution, Phishing)
- Affected Component: The
element.Newfunction (and any helper functions that create child elements) when used with user-supplied data as the text content (the third argument) without prior escaping. Any code path where untrusted data is passed directly as the text content of an element. - Risk Severity: Critical
- Mitigation Strategies:
- HTML Escaping: Use Go's
html/templatepackage to escape all user-supplied data before using it as text content.html/templateprovides contextual escaping, which is crucial for preventing XSS. This is the primary mitigation. - Input Validation: Validate user input to ensure it conforms to the expected format. If plain text is expected, reject input containing HTML tags.
- Content Security Policy (CSP): A CSP can provide an additional layer of defense.
- HTML Escaping: Use Go's