Cross-site Scripting (XSS) in server.go error response
Description
CSP Request Details
None
CSP Rejection Details
None
Potential Workaround
None
Checklist
hideActivity
Show:
Julian Ladisch 2 days ago
Thank you!
func Error changes the Content-Type to text, server.go initially had set it to html: https://github.com/folio-org/mod-reporting/blob/v1.3.0/src/server.go#L106
Mike Taylor last week
Fixed in .
Mike Taylor last week
It seems to me that func Error(w ResponseWriter, error string, code int) does not escape the string, so html.EscapeString would be needed in any case — is that your understanding, too?
Mike Taylor last week
Nicely spotted! Thanks, I’ll take this.
Done
Details
Details
Assignee
Mike TaylorReporter
Julian LadischPriority
P2Sprint
Development Team
Thor
Fix versions
Release
Sunflower (R1 2025) Bug Fix
RCA Group
TBD
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created March 9, 2025 at 10:46 AM
Updated 2 days ago
Resolved last week
TestRail: Cases
TestRail: Runs
snyk.io reports that server.go
https://github.com/folio-org/mod-reporting/blob/v1.3.0/src/server.go#L161
https://github.com/folio-org/mod-reporting/blob/v1.3.0/src/server.go#L176
creates an HTTP error response that may contain external content. An attacker may embed malicious HTML code into the external content resulting in a Cross-site Scripting (XSS) attack (provided that the response is directly displayed in the browser/front-end without masking of HTML entities).
Some options for a potential fix:
func Error(w ResponseWriter, error string, code int)https://pkg.go.dev/net/http#Errorhtml.EscapeStringhttps://pkg.go.dev/net/http#hdr-Servers