Skip to content

Commit 3cf0be3

Browse files
owen-mcowen-mc
committed
Reformat go files
1 parent 3dfc9f6 commit 3cf0be3

23 files changed

Lines changed: 119 additions & 118 deletions

File tree

go/ql/test/experimental/CWE-203/timing.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ func bad4(w http.ResponseWriter, req *http.Request) (interface{}, error) {
3838
secret := "MySuperSecretPasscode"
3939
secretHeader := "X-Secret"
4040

41-
headerSecret := req.Header.Get(secretHeader) // $ Source[go/timing-attack]
41+
headerSecret := req.Header.Get(secretHeader) // $ Source[go/timing-attack]
4242
if len(secret) != 0 && headerSecret != "SecretStringLiteral" { // $ Alert[go/timing-attack]
4343
return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
4444
}

go/ql/test/experimental/CWE-522-DecompressionBombs/test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -57,9 +57,9 @@ func DecompressHandler(w http.ResponseWriter, request *http.Request) {
5757
GZipOpenReaderSafe(request.PostFormValue("test"))
5858
ZipOpenReaderSafe(request.PostFormValue("test"))
5959
ZipOpenReader(request.FormValue("filepath")) // $ Source[go/uncontrolled-file-decompression]
60-
ZipNewReader(request.Body) // $ Source[go/uncontrolled-file-decompression]
61-
ZipNewReaderKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression]
62-
Bzip2Dsnet(request.Body) // $ Source[go/uncontrolled-file-decompression]
60+
ZipNewReader(request.Body) // $ Source[go/uncontrolled-file-decompression]
61+
ZipNewReaderKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression]
62+
Bzip2Dsnet(request.Body) // $ Source[go/uncontrolled-file-decompression]
6363
Bzip2DsnetSafe(request.Body)
6464
Bzip2(request.Body) // $ Source[go/uncontrolled-file-decompression]
6565
Bzip2Safe(request.Body)
@@ -82,7 +82,7 @@ func DecompressHandler(w http.ResponseWriter, request *http.Request) {
8282
Gzip(request.Body) // $ Source[go/uncontrolled-file-decompression]
8383
GzipSafe(request.Body)
8484
GZipIoReader(request.Body, "dest") // $ Source[go/uncontrolled-file-decompression]
85-
GzipKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression]
85+
GzipKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression]
8686
GzipKlauspostSafe(request.Body)
8787
PzipKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression]
8888
PzipKlauspostSafe(request.Body)

go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ func testDbMethods(bdb *orm.DB, untrustedSource *http.Request) {
2222

2323
// BAD: using untrusted data to build SQL queries (QueryBuilder does not sanitize its arguments)
2424
func testQueryBuilderMethods(qb orm.QueryBuilder, untrustedSource *http.Request) {
25-
untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
25+
untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
2626
untrusted2 := untrustedSource.UserAgent() // $ Source[go/sql-injection]
2727

2828
qb.Select(untrusted) // $ querystring=untrusted Alert[go/sql-injection]
@@ -55,14 +55,14 @@ func testOrmerRaw(ormer orm.Ormer, untrustedSource *http.Request) {
5555

5656
func testFilterRaw(querySeter orm.QuerySeter, untrustedSource *http.Request) {
5757
untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
58-
querySeter.FilterRaw(untrusted, "safe") // $ querystring="safe" // GOOD: untrusted used as a column name
59-
querySeter.FilterRaw("safe", untrusted) // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment
58+
querySeter.FilterRaw(untrusted, "safe") // $ querystring="safe" // GOOD: untrusted used as a column name
59+
querySeter.FilterRaw("safe", untrusted) // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment
6060
}
6161

6262
func testConditionRaw(cond orm.Condition, untrustedSource *http.Request) {
6363
untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
64-
cond.Raw(untrusted, "safe") // $ querystring="safe" // GOOD: untrusted used as a column name
65-
cond.Raw("safe", untrusted) // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment
64+
cond.Raw(untrusted, "safe") // $ querystring="safe" // GOOD: untrusted used as a column name
65+
cond.Raw("safe", untrusted) // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment
6666
}
6767

6868
type SubStruct struct {
@@ -77,90 +77,90 @@ type MyStruct struct {
7777
// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
7878
func testOrmerReads(ormer orm.Ormer, sink http.ResponseWriter) {
7979
obj := MyStruct{}
80-
ormer.Read(&obj) // $ Source[go/stored-xss]
81-
sink.Write([]byte(obj.field)) // $ Alert[go/stored-xss]
80+
ormer.Read(&obj) // $ Source[go/stored-xss]
81+
sink.Write([]byte(obj.field)) // $ Alert[go/stored-xss]
8282
sink.Write([]byte(obj.substructs[0].field)) // $ Alert[go/stored-xss]
8383

8484
obj2 := MyStruct{}
85-
ormer.ReadForUpdate(&obj2) // $ Source[go/stored-xss]
85+
ormer.ReadForUpdate(&obj2) // $ Source[go/stored-xss]
8686
sink.Write([]byte(obj2.field)) // $ Alert[go/stored-xss]
8787

8888
obj3 := MyStruct{}
8989
ormer.ReadOrCreate(&obj3, "arg") // $ Source[go/stored-xss]
90-
sink.Write([]byte(obj3.field)) // $ Alert[go/stored-xss]
90+
sink.Write([]byte(obj3.field)) // $ Alert[go/stored-xss]
9191
}
9292

9393
// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
9494
func testFieldReads(textField *orm.TextField, jsonField *orm.JSONField, jsonbField *orm.JsonbField, sink http.ResponseWriter) {
95-
sink.Write([]byte(textField.Value())) // $ Alert[go/stored-xss]
96-
sink.Write([]byte(textField.RawValue().(string))) // $ Alert[go/stored-xss]
97-
sink.Write([]byte(textField.String())) // $ Alert[go/stored-xss]
98-
sink.Write([]byte(jsonField.Value())) // $ Alert[go/stored-xss]
99-
sink.Write([]byte(jsonField.RawValue().(string))) // $ Alert[go/stored-xss]
100-
sink.Write([]byte(jsonField.String())) // $ Alert[go/stored-xss]
101-
sink.Write([]byte(jsonbField.Value())) // $ Alert[go/stored-xss]
95+
sink.Write([]byte(textField.Value())) // $ Alert[go/stored-xss]
96+
sink.Write([]byte(textField.RawValue().(string))) // $ Alert[go/stored-xss]
97+
sink.Write([]byte(textField.String())) // $ Alert[go/stored-xss]
98+
sink.Write([]byte(jsonField.Value())) // $ Alert[go/stored-xss]
99+
sink.Write([]byte(jsonField.RawValue().(string))) // $ Alert[go/stored-xss]
100+
sink.Write([]byte(jsonField.String())) // $ Alert[go/stored-xss]
101+
sink.Write([]byte(jsonbField.Value())) // $ Alert[go/stored-xss]
102102
sink.Write([]byte(jsonbField.RawValue().(string))) // $ Alert[go/stored-xss]
103-
sink.Write([]byte(jsonbField.String())) // $ Alert[go/stored-xss]
103+
sink.Write([]byte(jsonbField.String())) // $ Alert[go/stored-xss]
104104
}
105105

106106
// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
107107
func testQuerySeterReads(qs orm.QuerySeter, sink http.ResponseWriter) {
108108
var objs []*MyStruct
109-
qs.All(&objs) // $ Source[go/stored-xss]
109+
qs.All(&objs) // $ Source[go/stored-xss]
110110
sink.Write([]byte(objs[0].field)) // $ Alert[go/stored-xss]
111111

112112
var obj MyStruct
113-
qs.One(&obj) // $ Source[go/stored-xss]
113+
qs.One(&obj) // $ Source[go/stored-xss]
114114
sink.Write([]byte(obj.field)) // $ Alert[go/stored-xss]
115115

116116
var allMaps []orm.Params
117-
qs.Values(&allMaps) // $ Source[go/stored-xss]
117+
qs.Values(&allMaps) // $ Source[go/stored-xss]
118118
sink.Write([]byte(allMaps[0]["field"].(string))) // $ Alert[go/stored-xss]
119119

120120
var allLists []orm.ParamsList
121-
qs.ValuesList(&allLists) // $ Source[go/stored-xss]
121+
qs.ValuesList(&allLists) // $ Source[go/stored-xss]
122122
sink.Write([]byte(allLists[0][0].(string))) // $ Alert[go/stored-xss]
123123

124124
var oneList orm.ParamsList
125-
qs.ValuesFlat(&oneList, "colname") // $ Source[go/stored-xss]
125+
qs.ValuesFlat(&oneList, "colname") // $ Source[go/stored-xss]
126126
sink.Write([]byte(oneList[0].(string))) // $ Alert[go/stored-xss]
127127

128128
var oneRowMap orm.Params
129-
qs.RowsToMap(&oneRowMap, "key", "value") // $ Source[go/stored-xss]
129+
qs.RowsToMap(&oneRowMap, "key", "value") // $ Source[go/stored-xss]
130130
sink.Write([]byte(oneRowMap["field"].(string))) // $ Alert[go/stored-xss]
131131

132132
var oneRowStruct MyStruct
133133
qs.RowsToStruct(&oneRowStruct, "key", "value") // $ Source[go/stored-xss]
134-
sink.Write([]byte(oneRowStruct.field)) // $ Alert[go/stored-xss]
134+
sink.Write([]byte(oneRowStruct.field)) // $ Alert[go/stored-xss]
135135
}
136136

137137
// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
138138
func testRawSeterReads(rs orm.RawSeter, sink http.ResponseWriter) {
139139
var allMaps []orm.Params
140-
rs.Values(&allMaps) // $ Source[go/stored-xss]
140+
rs.Values(&allMaps) // $ Source[go/stored-xss]
141141
sink.Write([]byte(allMaps[0]["field"].(string))) // $ Alert[go/stored-xss]
142142

143143
var allLists []orm.ParamsList
144-
rs.ValuesList(&allLists) // $ Source[go/stored-xss]
144+
rs.ValuesList(&allLists) // $ Source[go/stored-xss]
145145
sink.Write([]byte(allLists[0][0].(string))) // $ Alert[go/stored-xss]
146146

147147
var oneList orm.ParamsList
148-
rs.ValuesFlat(&oneList, "colname") // $ Source[go/stored-xss]
148+
rs.ValuesFlat(&oneList, "colname") // $ Source[go/stored-xss]
149149
sink.Write([]byte(oneList[0].(string))) // $ Alert[go/stored-xss]
150150

151151
var oneRowMap orm.Params
152-
rs.RowsToMap(&oneRowMap, "key", "value") // $ Source[go/stored-xss]
152+
rs.RowsToMap(&oneRowMap, "key", "value") // $ Source[go/stored-xss]
153153
sink.Write([]byte(oneRowMap["field"].(string))) // $ Alert[go/stored-xss]
154154

155155
var oneRowStruct MyStruct
156156
rs.RowsToStruct(&oneRowStruct, "key", "value") // $ Source[go/stored-xss]
157-
sink.Write([]byte(oneRowStruct.field)) // $ Alert[go/stored-xss]
157+
sink.Write([]byte(oneRowStruct.field)) // $ Alert[go/stored-xss]
158158

159159
var strField string
160-
rs.QueryRow(&strField) // $ Source[go/stored-xss]
160+
rs.QueryRow(&strField) // $ Source[go/stored-xss]
161161
sink.Write([]byte(strField)) // $ Alert[go/stored-xss]
162162

163163
var strFields []string
164-
rs.QueryRows(&strFields) // $ Source[go/stored-xss]
164+
rs.QueryRows(&strFields) // $ Source[go/stored-xss]
165165
sink.Write([]byte(strFields[0])) // $ Alert[go/stored-xss]
166166
}

go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@ func hideUserData(next http.Handler) http.Handler {
1818
func main() {
1919
r := chi.NewRouter()
2020
r.With(hideUserData).Get("/", func(w http.ResponseWriter, r *http.Request) {
21-
w.Write([]byte(hidden)) // $ Alert[go/reflected-xss]
22-
w.Write([]byte(chi.URLParam(r, "someParam"))) // $ Alert[go/reflected-xss]
23-
w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey"))) // $ Alert[go/reflected-xss]
21+
w.Write([]byte(hidden)) // $ Alert[go/reflected-xss]
22+
w.Write([]byte(chi.URLParam(r, "someParam"))) // $ Alert[go/reflected-xss]
23+
w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey"))) // $ Alert[go/reflected-xss]
2424
w.Write([]byte(chi.RouteContext(r.Context()).URLParam("someOtherKey"))) // $ Alert[go/reflected-xss]
2525
})
2626
http.ListenAndServe(":3000", r)

go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -13,42 +13,42 @@ import (
1313

1414
func testParam(ctx echo.Context) error {
1515
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
16-
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
16+
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
1717
return nil
1818
}
1919

2020
func testParamValues(ctx echo.Context) error {
2121
param := ctx.ParamValues()[0] // $ Source[go/reflected-xss]
22-
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
22+
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
2323
return nil
2424
}
2525

2626
func testQueryParam(ctx echo.Context) error {
2727
param := ctx.QueryParam("someParam") // $ Source[go/reflected-xss]
28-
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
28+
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
2929
return nil
3030
}
3131

3232
func testQueryParams(ctx echo.Context) error {
3333
param := ctx.QueryParams()["someParam"][0] // $ Source[go/reflected-xss]
34-
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
34+
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
3535
return nil
3636
}
3737

3838
func testQueryString(ctx echo.Context) error {
3939
qstr := ctx.QueryString() // $ Source[go/reflected-xss]
40-
ctx.HTML(200, qstr) // $ Alert[go/reflected-xss]
40+
ctx.HTML(200, qstr) // $ Alert[go/reflected-xss]
4141
return nil
4242
}
4343

4444
func testFormValue(ctx echo.Context) error {
4545
val := ctx.FormValue("someField") // $ Source[go/reflected-xss]
46-
ctx.HTML(200, val) // $ Alert[go/reflected-xss]
46+
ctx.HTML(200, val) // $ Alert[go/reflected-xss]
4747
return nil
4848
}
4949

5050
func testFormParams(ctx echo.Context) error {
51-
params, _ := ctx.FormParams() // $ Source[go/reflected-xss]
51+
params, _ := ctx.FormParams() // $ Source[go/reflected-xss]
5252
ctx.HTML(200, params["someField"][0]) // $ Alert[go/reflected-xss]
5353
return nil
5454
}
@@ -63,7 +63,7 @@ func testFormFile(ctx echo.Context) error {
6363
}
6464

6565
func testMultipartFormValue(ctx echo.Context) error {
66-
form, _ := ctx.MultipartForm() // $ Source[go/reflected-xss]
66+
form, _ := ctx.MultipartForm() // $ Source[go/reflected-xss]
6767
ctx.HTML(200, form.Value["someField"][0]) // $ Alert[go/reflected-xss]
6868
return nil
6969
}
@@ -80,12 +80,12 @@ func testMultipartFormFile(ctx echo.Context) error {
8080

8181
func testCookie(ctx echo.Context) error {
8282
val, _ := ctx.Cookie("someKey") // $ Source[go/reflected-xss]
83-
ctx.HTML(200, val.Value) // $ Alert[go/reflected-xss]
83+
ctx.HTML(200, val.Value) // $ Alert[go/reflected-xss]
8484
return nil
8585
}
8686

8787
func testCookies(ctx echo.Context) error {
88-
cookies := ctx.Cookies() // $ Source[go/reflected-xss]
88+
cookies := ctx.Cookies() // $ Source[go/reflected-xss]
8989
ctx.HTML(200, cookies[0].Value) // $ Alert[go/reflected-xss]
9090
return nil
9191
}
@@ -96,7 +96,7 @@ type myStruct struct {
9696

9797
func testBind(ctx echo.Context) error {
9898
data := myStruct{}
99-
ctx.Bind(&data) // $ Source[go/reflected-xss]
99+
ctx.Bind(&data) // $ Source[go/reflected-xss]
100100
ctx.HTML(200, data.s) // $ Alert[go/reflected-xss]
101101
return nil
102102
}
@@ -122,18 +122,18 @@ func testGetSet(ctx echo.Context) error {
122122

123123
func testHTML(ctx echo.Context) error {
124124
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
125-
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
125+
ctx.HTML(200, param) // $ Alert[go/reflected-xss]
126126
return nil
127127
}
128128

129129
func testHTMLBlob(ctx echo.Context) error {
130-
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
130+
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
131131
ctx.HTMLBlob(200, []byte(param)) // $ Alert[go/reflected-xss]
132132
return nil
133133
}
134134

135135
func testBlob(ctx echo.Context) error {
136-
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
136+
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
137137
ctx.Blob(200, "text/html", []byte(param)) // $ Alert[go/reflected-xss] // BAD, the content-type is HTML
138138
return nil
139139
}
@@ -161,7 +161,7 @@ func testStreamSafe(ctx echo.Context) error {
161161
// Section: testing output methods defined on Response (XSS vulnerability)
162162

163163
func testResponseWrite(ctx echo.Context) error {
164-
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
164+
param := ctx.Param("someParam") // $ Source[go/reflected-xss]
165165
ctx.Response().Write([]byte(param)) // $ Alert[go/reflected-xss]
166166
return nil
167167
}
@@ -170,7 +170,7 @@ func testResponseWrite(ctx echo.Context) error {
170170

171171
func testRedirect(ctx echo.Context) error {
172172
param := ctx.Param("someParam") // $ Source[go/unvalidated-url-redirection]
173-
ctx.Redirect(301, param) // $ Alert[go/unvalidated-url-redirection]
173+
ctx.Redirect(301, param) // $ Alert[go/unvalidated-url-redirection]
174174
return nil
175175
}
176176

@@ -222,10 +222,10 @@ func fsOpsTest() {
222222
e := echo.New()
223223
e.GET("/", func(c echo.Context) error {
224224
filepath := c.QueryParam("filePath") // $ Source[go/path-injection]
225-
return c.File(filepath) // $ FileSystemAccess=filepath Alert[go/path-injection]
225+
return c.File(filepath) // $ FileSystemAccess=filepath Alert[go/path-injection]
226226
})
227227
e.GET("/attachment", func(c echo.Context) error {
228-
filepath := c.QueryParam("filePath") // $ Source[go/path-injection]
228+
filepath := c.QueryParam("filePath") // $ Source[go/path-injection]
229229
return c.Attachment(filepath, "file name in response") // $ FileSystemAccess=filepath Alert[go/path-injection]
230230
})
231231
_ = e.Start(":1323")

go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,11 @@ package main
33
import (
44
"bytes"
55
"errors"
6-
staticControllers "github.com/revel/modules/static/app/controllers"
7-
"github.com/revel/revel"
86
"os"
97
"time"
8+
9+
staticControllers "github.com/revel/modules/static/app/controllers"
10+
"github.com/revel/revel"
1011
)
1112

1213
// Use typical inheritence pattern, per github.com/revel/examples/booking:
@@ -33,7 +34,7 @@ func (c MyRoute) Handler1() revel.Result {
3334
func (c MyRoute) Handler2() revel.Result {
3435
// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
3536
buf := &bytes.Buffer{}
36-
buf.WriteString(c.Params.Form.Get("someField")) // $ Source[go/reflected-xss]
37+
buf.WriteString(c.Params.Form.Get("someField")) // $ Source[go/reflected-xss]
3738
return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf' Alert[go/reflected-xss]
3839
}
3940

go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -9,35 +9,35 @@ import (
99

1010
func test(request *http.Request, writer http.ResponseWriter) {
1111

12-
param1 := request.URL.Query().Get("param1") // $ Source[go/reflected-xss]
12+
param1 := request.URL.Query().Get("param1") // $ Source[go/reflected-xss]
1313
writer.Write([]byte(html.EscapeString(param1))) // GOOD: escaped.
1414

1515
writer.Write([]byte(html.UnescapeString(param1))) // $ Alert[go/reflected-xss] // BAD: unescaped.
1616

1717
node, _ := html.Parse(request.Body) // $ Source[go/reflected-xss]
18-
writer.Write([]byte(node.Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
18+
writer.Write([]byte(node.Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
1919

2020
node2, _ := html.ParseWithOptions(request.Body) // $ Source[go/reflected-xss]
21-
writer.Write([]byte(node2.Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
21+
writer.Write([]byte(node2.Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
2222

2323
nodes, _ := html.ParseFragment(request.Body, nil) // $ Source[go/reflected-xss]
24-
writer.Write([]byte(nodes[0].Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
24+
writer.Write([]byte(nodes[0].Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
2525

2626
nodes2, _ := html.ParseFragmentWithOptions(request.Body, nil) // $ Source[go/reflected-xss]
27-
writer.Write([]byte(nodes2[0].Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
27+
writer.Write([]byte(nodes2[0].Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
2828

2929
html.Render(writer, node) // $ Alert[go/reflected-xss] // BAD: rendering untrusted HTML to `writer`
3030

3131
tokenizer := html.NewTokenizer(request.Body) // $ Source[go/reflected-xss]
32-
writer.Write(tokenizer.Buffered()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
33-
writer.Write(tokenizer.Raw()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
32+
writer.Write(tokenizer.Buffered()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
33+
writer.Write(tokenizer.Raw()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
3434
_, value, _ := tokenizer.TagAttr()
3535
writer.Write(value) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
3636
writer.Write(tokenizer.Text()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
3737
writer.Write([]byte(tokenizer.Token().Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
3838

3939
tokenizerFragment := html.NewTokenizerFragment(request.Body, "some context") // $ Source[go/reflected-xss]
40-
writer.Write(tokenizerFragment.Buffered()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
40+
writer.Write(tokenizerFragment.Buffered()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
4141

4242
var cleanNode html.Node
4343
taintedNode, _ := html.Parse(request.Body) // $ Source[go/reflected-xss]

0 commit comments

Comments
 (0)