Closed
Description
Mars contains a cross-site scripting vulnerability, that allows attackers to inject JavaScript code into the HTML output of your templates, if all of these conditions are met:
- You are using the string interpolation features as part of your translations strings and
- User input was is added to these translations strings without escaping and
- You are using the
msgtemplate function to translate messages.
Example translation strings, messages.en:
unable-to-send-msg-error=Unable send message "%s"!
Translation approach that is not vulnerable:
-
Controller:
c.RenderArgs["errMsg"] = c.Message("unable-to-send-msg-error", c.Params.Get("message")) -
View:
<p class="error">{{.errMsg}}</p>
Translation approach that is vulnerable:
-
Controller:
c.RenderArgs["usersMessage"] = c.Params.Get("message") -
View:
<p class="error">{{msg $ `unable-to-send-msg-error` .usersMessage}}</p>
The fix for this issue will disable HTML message translation strings, a better approach to allow those kind of strings will be implemented using a separate ticket.
Thanks to @ptman for reporting this.