Xss Cross Site Scripting in Gorilla Mux with Cockroachdb

Cross-site scripting (XSS) in a Gorilla Mux service backed by CockroachDB typically occurs when user-supplied data is reflected into HTML responses without proper escaping, and the database stores that data in a way that enables later retrieval and execution in a victim’s browser. With Gorilla Mux, routes are defined explicitly and handlers receive the request and response writers along with mux.Vars, so unsafe use of those variables can introduce injection points. CockroachDB, like any SQL system, does not inherently neutralize HTML or script content; if a column containing user input is later rendered in a template or echoed in a JSON response without context-aware escaping, stored XSS becomes possible.

Consider an endpoint that stores a user profile comment into CockroachDB and later displays it on a dashboard. If the handler does not validate or escape the comment before inserting it into the database, the stored value remains benign in storage but becomes dangerous when read and rendered in an HTML page. Gorilla Mux provides the routing and parameter extraction, but the developer is responsible for ensuring that any data placed into the response—whether from query parameters, headers, cookies, or database rows—is properly sanitized for the output context. Common patterns that create risk include directly concatenating user input into SQL strings and then reusing that data in HTML without escaping, or failing to set appropriate Content-Type and escaping rules in templates.

In a typical vulnerable flow, a request hits a Gorilla Mux route such as /comment, the handler extracts a "text" URL parameter, inserts it into a CockroachDB row, and later fetches that row to include in an HTML page. If the handler uses a standard html/template that does not auto-escape or uses a JSON encoder without escaping, the browser may execute the stored script when the page is rendered. This can lead to session hijacking, credential theft, or account compromise. Because CockroachDB returns values as native types, the risk is not in the database itself but in how the application consumes and presents those values. The combination therefore does not create a database-specific XSS flaw, but it does create a clear path where unsafe data handling in the handler, combined with CockroachDB as a persistent store, enables persistent XSS across sessions.

Remediation centers on context-aware output encoding, strict input validation, and safe database interaction patterns. With Gorilla Mux, ensure handlers validate and sanitize all variables extracted via mux.Vars before using them in queries or templates. For CockroachDB, use parameterized statements to avoid SQL injection and prevent attacker-controlled data from corrupting query structure. Then, when rendering data in HTML, use Go’s html/template package which auto-escapes variables by default, or explicitly escape data for JavaScript, URLs, and CSS as appropriate for the context.

Below is a secure example that stores and retrieves user comments using Gorilla Mux and CockroachDB, with proper escaping and parameterization.

import (
    "database/sql"
    "html/template"
    "net/http"
    "github.com/gorilla/mux"
)

var db *sql.DB // assume initialized CockroachDB connection

func commentHandler(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    rawComment := vars["comment"]
    // Basic validation and length checks
    if rawComment == "" || len(rawComment) > 5000 {
        http.Error(w, "invalid comment", http.StatusBadRequest)
        return
    }
    // Use parameterized query to store safely
    _, err := db.Exec("INSERT INTO comments (text) VALUES ($1)", rawComment)
    if err != nil {
        http.Error(w, "failed to store", http.StatusInternalServerError)
        return
    }
    // Retrieve and render with html/template auto-escaping
    var storedComment string
    err = db.QueryRow("SELECT text FROM comments WHERE id = $1", vars["id"]).Scan(&storedComment)
    if err != nil {
        http.Error(w, "not found", http.StatusNotFound)
        return
    }
    tmpl := template.Must(template.New("page").Parse(`
<h1>Comments</h1>
<div>{{.}}</div>
`))
    tmpl.Execute(w, storedComment)
}

This pattern ensures that user input is never directly interpolated into SQL or HTML. The sql package handles parameterization for CockroachDB, and html/template escapes values for HTML context. For JSON responses, use encoding/json which escapes special characters, and avoid using the unsafe legacy JSON encoders. Additionally, enforce Content-Security-Policy headers to reduce the impact of any future issues, and validate input against expected patterns to further reduce risk.