go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter found in pkg/api/handler/repository_handler.go

Vulnerability Description

Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'.

Code Snippets

	_, err = w.Write(sarif)

Found at: pkg/api/handler/repository_handler.go Line: 123

	_, err = w.Write(badgeFile)

Found at: pkg/api/handler/repository_handler.go Line: 185

			_, err = w.Write(b)

Found at: pkg/api/handler/repository_handler.go Line: 249

	_, err := w.Write(badgeFile)

Found at: pkg/api/handler/repository_handler.go Line: 287

More details can be found in DevGuard

Interact with this vulnerability

You can use the following slash commands to interact with this vulnerability:

👍 Reply with this to acknowledge and accept the identified risk.

/accept I accept the risk of this vulnerability, because ...

⚠️ Mark the risk as false positive: Use this command if you believe the reported vulnerability is not actually a valid issue.

/false-positive The vulnerability is not exploitable in this context.

🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.

/reopen ...