# Code Injection via os/exec

- ID: go-code-injection
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Go

## Description

Detects user input flowing to template functions that bypass HTML escaping.

## Remediation

Pass user input as template data instead of using template.HTML.

```go
data := struct{ Content string }{Content: userInput}
tmpl.Execute(w, data)
```

Learn more: https://shoulder.dev/learn/go/cwe-94/code-injection

## Related Rules

- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Code Injection via eval/exec** [CRITICAL]: