[BUG] Cde injection possible through a weird struct tag #6
Description
Since struct tags are never (correct me if i am wrong) user controlled this is no security issue but it's still kinda a bug.
this will inject code:
type user struct {
Injection int `json:"test': number;\n}\n\nconsole.log('code injection');\ndeclare interface user2 {\n\t'aa"`
}will produce following ts code on the demo website.
declare interface user {
'test': number;
}
console.log('code injection');
declare interface user2 {
'aa': number;
}
The go json package warns about this being an invalid JSON tag so maybe the issue doesn't have to be addressed but I thought it's worth letting you know.
How to fix it?
don't let the user escape the string by using ' in the json tag.
maybe use the json package to tell rather it's even a valid json tag.