Change query id to go/html-template-escaping-bypass-xss

owen-mc · owen-mc · commit c2ebdf5266a9 · 2025-05-01T15:39:20.000+01:00
diff --git a/go/ql/src/Security/CWE-079/HTMLTemplateEscapingPassthrough.ql b/go/ql/src/Security/CWE-079/HTMLTemplateEscapingPassthrough.ql
@@ -4,7 +4,7 @@
  *              template, it may result in XSS.
  * @kind path-problem
  * @problem.severity warning
- * @id go/html-template-escaping-passthrough
+ * @id go/html-template-escaping-bypass-xss
  * @tags security
  *       experimental
  *       external/cwe/cwe-079
diff --git a/go/ql/test/query-tests/Security/CWE-079/HTMLTemplateEscapingPassthrough.go b/go/ql/test/query-tests/Security/CWE-079/HTMLTemplateEscapingPassthrough.go
@@ -26,45 +26,45 @@ func bad(req *http.Request) {
 
 	{
 		{
-			var a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]
-			checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-passthrough]
+			var a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
+			checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]
 		}
 		{
 			{
 				var a template.HTML
-				a = template.HTML(req.UserAgent())     // $ Source[go/html-template-escaping-passthrough]
-				checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-passthrough]
+				a = template.HTML(req.UserAgent())     // $ Source[go/html-template-escaping-bypass-xss]
+				checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]
 			}
 			{
 				var a HTMLAlias
-				a = HTMLAlias(req.UserAgent())         // $ Source[go/html-template-escaping-passthrough]
-				checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-passthrough]
+				a = HTMLAlias(req.UserAgent())         // $ Source[go/html-template-escaping-bypass-xss]
+				checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]
 			}
 		}
 	}
 	{
-		var c = template.HTMLAttr(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]
-		checkError(tmplTag.Execute(os.Stdout, c))  // $ Alert[go/html-template-escaping-passthrough]
+		var c = template.HTMLAttr(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
+		checkError(tmplTag.Execute(os.Stdout, c))  // $ Alert[go/html-template-escaping-bypass-xss]
 	}
 	{
-		var d = template.JS(req.UserAgent())         // $ Source[go/html-template-escaping-passthrough]
-		checkError(tmplScript.Execute(os.Stdout, d)) // $ Alert[go/html-template-escaping-passthrough]
+		var d = template.JS(req.UserAgent())         // $ Source[go/html-template-escaping-bypass-xss]
+		checkError(tmplScript.Execute(os.Stdout, d)) // $ Alert[go/html-template-escaping-bypass-xss]
 	}
 	{
-		var e = template.JSStr(req.UserAgent())      // $ Source[go/html-template-escaping-passthrough]
-		checkError(tmplScript.Execute(os.Stdout, e)) // $ Alert[go/html-template-escaping-passthrough]
+		var e = template.JSStr(req.UserAgent())      // $ Source[go/html-template-escaping-bypass-xss]
+		checkError(tmplScript.Execute(os.Stdout, e)) // $ Alert[go/html-template-escaping-bypass-xss]
 	}
 	{
-		var b = template.CSS(req.UserAgent())  // $ Source[go/html-template-escaping-passthrough]
-		checkError(tmpl.Execute(os.Stdout, b)) // $ Alert[go/html-template-escaping-passthrough]
+		var b = template.CSS(req.UserAgent())  // $ Source[go/html-template-escaping-bypass-xss]
+		checkError(tmpl.Execute(os.Stdout, b)) // $ Alert[go/html-template-escaping-bypass-xss]
 	}
 	{
-		var f = template.Srcset(req.UserAgent())     // $ Source[go/html-template-escaping-passthrough]
-		checkError(tmplSrcset.Execute(os.Stdout, f)) // $ Alert[go/html-template-escaping-passthrough]
+		var f = template.Srcset(req.UserAgent())     // $ Source[go/html-template-escaping-bypass-xss]
+		checkError(tmplSrcset.Execute(os.Stdout, f)) // $ Alert[go/html-template-escaping-bypass-xss]
 	}
 	{
-		var g = template.URL(req.UserAgent())  // $ Source[go/html-template-escaping-passthrough]
-		checkError(tmpl.Execute(os.Stdout, g)) // $ Alert[go/html-template-escaping-passthrough]
+		var g = template.URL(req.UserAgent())  // $ Source[go/html-template-escaping-bypass-xss]
+		checkError(tmpl.Execute(os.Stdout, g)) // $ Alert[go/html-template-escaping-bypass-xss]
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -26,45 +26,45 @@ func bad(req *http.Request) {`
`26`	`26`
`27`	`27`	`{`
`28`	`28`	`{`
`29`		`- var a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`30`		`- checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-passthrough]`
	`29`	`+ var a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`30`	`+ checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]`
`31`	`31`	`}`
`32`	`32`	`{`
`33`	`33`	`{`
`34`	`34`	`var a template.HTML`
`35`		`- a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`36`		`- checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-passthrough]`
	`35`	`+ a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`36`	`+ checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]`
`37`	`37`	`}`
`38`	`38`	`{`
`39`	`39`	`var a HTMLAlias`
`40`		`- a = HTMLAlias(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`41`		`- checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-passthrough]`
	`40`	`+ a = HTMLAlias(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`41`	`+ checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`	`}`
`45`	`45`	`{`
`46`		`- var c = template.HTMLAttr(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`47`		`- checkError(tmplTag.Execute(os.Stdout, c)) // $ Alert[go/html-template-escaping-passthrough]`
	`46`	`+ var c = template.HTMLAttr(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`47`	`+ checkError(tmplTag.Execute(os.Stdout, c)) // $ Alert[go/html-template-escaping-bypass-xss]`
`48`	`48`	`}`
`49`	`49`	`{`
`50`		`- var d = template.JS(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`51`		`- checkError(tmplScript.Execute(os.Stdout, d)) // $ Alert[go/html-template-escaping-passthrough]`
	`50`	`+ var d = template.JS(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`51`	`+ checkError(tmplScript.Execute(os.Stdout, d)) // $ Alert[go/html-template-escaping-bypass-xss]`
`52`	`52`	`}`
`53`	`53`	`{`
`54`		`- var e = template.JSStr(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`55`		`- checkError(tmplScript.Execute(os.Stdout, e)) // $ Alert[go/html-template-escaping-passthrough]`
	`54`	`+ var e = template.JSStr(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`55`	`+ checkError(tmplScript.Execute(os.Stdout, e)) // $ Alert[go/html-template-escaping-bypass-xss]`
`56`	`56`	`}`
`57`	`57`	`{`
`58`		`- var b = template.CSS(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`59`		`- checkError(tmpl.Execute(os.Stdout, b)) // $ Alert[go/html-template-escaping-passthrough]`
	`58`	`+ var b = template.CSS(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`59`	`+ checkError(tmpl.Execute(os.Stdout, b)) // $ Alert[go/html-template-escaping-bypass-xss]`
`60`	`60`	`}`
`61`	`61`	`{`
`62`		`- var f = template.Srcset(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`63`		`- checkError(tmplSrcset.Execute(os.Stdout, f)) // $ Alert[go/html-template-escaping-passthrough]`
	`62`	`+ var f = template.Srcset(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`63`	`+ checkError(tmplSrcset.Execute(os.Stdout, f)) // $ Alert[go/html-template-escaping-bypass-xss]`
`64`	`64`	`}`
`65`	`65`	`{`
`66`		`- var g = template.URL(req.UserAgent()) // $ Source[go/html-template-escaping-passthrough]`
`67`		`- checkError(tmpl.Execute(os.Stdout, g)) // $ Alert[go/html-template-escaping-passthrough]`
	`66`	`+ var g = template.URL(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]`
	`67`	`+ checkError(tmpl.Execute(os.Stdout, g)) // $ Alert[go/html-template-escaping-bypass-xss]`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`