# Server-Side Template Injection

- ID: go-ssti
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Go

## Description

User input passed directly to template.Parse without sanitization.

## Remediation

Use predefined templates and pass user data as template variables.

```go
tmpl := template.Must(template.ParseFiles("page.html"))
tmpl.Execute(w, map[string]string{
    "name": userInput, // Safe - passed as data, not template code
})
```

Learn more: https://shoulder.dev/learn/go/cwe-94/ssti

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Code Injection via eval/exec** [CRITICAL]: