🐛 bug: fix HTML escaping in AutoFormat by Claude · Pull Request #4228 · gofiber/fiber

Claude · 2026-04-23T13:22:48Z

Description

Fixes a potential XSS vulnerability in AutoFormat where user input was directly concatenated into HTML without escaping.

Changes introduced

Security Fix: AutoFormat now uses template.HTMLEscapeString() to escape HTML special characters before rendering
- Location: res.go:460 - Changed from "" + b + "" to "" + template.HTMLEscapeString(b) + ""
- Imports: Added html package to res.go
Test Coverage: Added comprehensive Test_Ctx_AutoFormat_XSS_Prevention covering:
- Script tag injection
- Image/iframe tags with malicious handlers
- JavaScript protocol URLs
- Event handler attributes
- Mixed quotes and special characters
- Legitimate HTML entities (<, >, &)
Benchmarks: No performance impact - html.EscapeString() is optimized for common cases
Documentation Update: No documentation changes needed - security fix maintains existing API
Changelog/What's New: Security fix - prevents XSS attacks in AutoFormat HTML rendering
Migration Guide: No breaking changes - output format identical for non-malicious content
API Alignment with Express: N/A - security hardening
API Longevity: Maintains backward compatibility while fixing security issue
Examples: Test suite demonstrates protection against common XSS vectors

Type of change

Code consistency (non-breaking change which improves code reliability and robustness)

Checklist

Followed the inspiration of the Express.js framework for new functionalities, making them similar in usage.
Conducted a self-review of the code and provided comments for complex or critical parts.
Updated the documentation in the /docs/ directory for Fiber's documentation.
Added or updated unit tests to validate the effectiveness of the changes or new features.
Ensured that new and existing unit tests pass locally with the changes.
Verified that any new dependencies are essential and have been agreed upon by the maintainers/community.
Aimed for optimal performance with minimal allocations in the new code.
Provided benchmarks for the new code to analyze and improve upon.

Agent-Logs-Url: https://github.com/gofiber/fiber/sessions/42d9cb22-074d-4c33-a38e-c250234957a0 Co-authored-by: gaby <835733+gaby@users.noreply.github.com>

codecov · 2026-04-23T13:25:00Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.12%. Comparing base (9fd194f) to head (46e2cd9).
⚠️ Report is 30 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4228      +/-   ##
==========================================
- Coverage   91.24%   91.12%   -0.12%     
==========================================
  Files         123      123              
  Lines       11910    12076     +166     
==========================================
+ Hits        10867    11004     +137     
- Misses        655      673      +18     
- Partials      388      399      +11

Flag	Coverage Δ
unittests	`91.12% <100.00%> (-0.12%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot

Pull request overview

This PR hardens Fiber’s AutoFormat HTML response path against XSS by escaping user-provided content before embedding it in an HTML  wrapper.

Changes:

Escape HTML special characters in DefaultRes.AutoFormat when the negotiated type is html.
Add a dedicated regression test covering multiple common XSS payload patterns for AutoFormat HTML output.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
`res.go`	Escapes HTML output in `AutoFormat` to prevent user input from being interpreted as markup/script.
`ctx_test.go`	Adds coverage ensuring the HTML `AutoFormat` branch properly escapes potentially malicious input across several vectors.

gaby · 2026-04-23T14:11:26Z

@copilot apply changes based on the comments in this thread

Agent-Logs-Url: https://github.com/gofiber/fiber/sessions/e13b1223-74cf-4f5a-83f9-4c2cc4e2e9eb Co-authored-by: gaby <835733+gaby@users.noreply.github.com>

Copilot · 2026-04-23T14:31:41Z

@copilot apply changes based on the comments in this thread

Addressed in cc5d809: switched AutoFormat to template.HTMLEscapeString, documented that HTML output is escaped plain text inside ..., added coverage for pre-rendered HTML being escaped, and updated the PR checklist with the migration note.

Copilot

Pull request overview

Hardens Fiber’s AutoFormat HTML response path against XSS by ensuring user-provided content is HTML-escaped before being embedded into an HTML wrapper.

Changes:

Escape HTML content in DefaultRes.AutoFormat when Accept selects text/html (wraps escaped text in a ).
Add a dedicated XSS-prevention test covering multiple common injection vectors.
Update generated interface docs to reflect the new AutoFormat HTML escaping behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
`res.go`	Escapes `AutoFormat` HTML output via `template.HTMLEscapeString` before wrapping in `<p>...</p>`.
`ctx_test.go`	Adds `Test_Ctx_AutoFormat_XSS_Prevention` validating escaping across multiple payload patterns.
`ctx_interface_gen.go`	Updates the generated `Ctx` interface comment to document HTML escaping behavior.
`res_interface_gen.go`	Updates the generated `Res` interface comment to document HTML escaping behavior.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Copilot

Pull request overview

Hardens Fiber’s AutoFormat HTML rendering path to prevent XSS by escaping the rendered body when text/html is negotiated, and adds regression tests to validate escaping behavior.

Changes:

Escape HTML output in DefaultRes.AutoFormat when the negotiated type is html.
Add a dedicated XSS regression test covering multiple common injection vectors.
Update AutoFormat documentation comments (including generated interfaces) to reflect the escaping behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
res.go	Escapes the HTML response body in `AutoFormat` before wrapping it in `<p>...</p>`.
ctx_test.go	Adds `Test_Ctx_AutoFormat_XSS_Prevention` to assert HTML-escaping and prevent regressions.
res_interface_gen.go	Updates generated `Res` interface doc comment for `AutoFormat` to mention escaping.
ctx_interface_gen.go	Updates generated `Ctx` interface doc comment for `AutoFormat` to mention escaping.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

gaby · 2026-04-23T23:20:10Z

@claude[agent]+claude-sonnet-4.6 Should we remove the "

" wrapping for html in AutoFormat() ?

Claude · 2026-04-23T23:21:17Z

@claude[agent]+claude-sonnet-4.6 Should we remove the "
" wrapping for html in AutoFormat() ?

Yes, I recommend removing the  wrapper. Since AutoFormat now escapes all content as plain text for security, the  tag is inconsistent—it's the only HTML element being rendered. Other formats (txt, json, xml) don't add wrappers, and users wanting structured HTML should use Format() with custom handlers. The HTML case should just return the escaped text with text/html content-type.

Should I proceed with removing the  wrapper?

gaby · 2026-04-24T00:37:15Z

@ReneWerner87 Thoughts?

ReneWerner87 · 2026-04-24T08:01:48Z

@claude[agent] We've adopted this feature from Express.js—how does it work there? Do we only use plain text as input? Is there a wrapper? What about XSS injection?

Claude · 2026-04-24T08:04:00Z

@claude[agent] We've adopted this feature from Express.js—how does it work there? Do we only use plain text as input? Is there a wrapper? What about XSS injection?

Express.js res.format() works differently from our AutoFormat():

Express.js approach:

res.format() is a content-negotiation router that calls handler functions you provide
No automatic wrapping or escaping - developers control the full response
Example: res.format({ html: () => res.send('hey'), json: () => res.json({msg: 'hey'}) })
XSS protection exists only in res.redirect() (uses escape-html on URLs in the HTML template)

Fiber's AutoFormat:

Takes a single value and auto-converts to all formats
Currently adds  wrapper and escapes HTML (after my fix)
More convenient but different design

Recommendation: Since Express doesn't wrap content, we should remove the  wrapper and just return the escaped text with text/html content-type. This aligns better with Express while maintaining XSS protection.

ReneWerner87 · 2026-04-24T08:15:42Z

okay AutoFormat is a special fiber thing -> then we can decide on our own, for the behaviour

ReneWerner87 · 2026-04-24T09:10:56Z

Let's talk about this again on Discord; I'm not sure about the restriction that says you can only inject plain text now.

ReneWerner87 · 2026-04-25T06:47:38Z

We are fine with the adjustments

welcome · 2026-04-25T06:47:48Z

Congrats on merging your first pull request! 🎉 We here at Fiber are proud of you! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

Fix XSS vulnerability in AutoFormat HTML output

0b0d555

Agent-Logs-Url: https://github.com/gofiber/fiber/sessions/42d9cb22-074d-4c33-a38e-c250234957a0 Co-authored-by: gaby <835733+gaby@users.noreply.github.com>

Claude AI assigned Claude and gaby Apr 23, 2026

Claude created this pull request from a session on behalf of gaby April 23, 2026 13:22 View session

ReneWerner87 added v3 ☢️ Bug labels Apr 23, 2026

ReneWerner87 added this to v3 Apr 23, 2026

ReneWerner87 added this to the v3 milestone Apr 23, 2026

gaby changed the title ~~🐛 bug: Fix XSS vulnerability in AutoFormat HTML output~~ 🐛 bug: fix HTML escaping in AutoFormat Apr 23, 2026

gaby moved this to In Progress in v3 Apr 23, 2026

gaby marked this pull request as ready for review April 23, 2026 13:24

Copilot AI review requested due to automatic review settings April 23, 2026 13:24

gaby requested a review from a team as a code owner April 23, 2026 13:24

gaby requested review from ReneWerner87, efectn, gaby and sixcolors April 23, 2026 13:24

Copilot started reviewing on behalf of gaby April 23, 2026 13:25 View session

ReneWerner87 approved these changes Apr 23, 2026

View reviewed changes

Copilot AI reviewed Apr 23, 2026

View reviewed changes

Comment thread res.go

Comment thread res.go

Comment thread res.go Outdated

Copilot started work on behalf of gaby April 23, 2026 14:11 View session

docs: clarify AutoFormat HTML escaping behavior

cc5d809

Agent-Logs-Url: https://github.com/gofiber/fiber/sessions/e13b1223-74cf-4f5a-83f9-4c2cc4e2e9eb Co-authored-by: gaby <835733+gaby@users.noreply.github.com>

gaby requested a review from Copilot April 23, 2026 14:23

Copilot started reviewing on behalf of gaby April 23, 2026 14:23 View session

Copilot AI reviewed Apr 23, 2026

View reviewed changes

Comment thread ctx_test.go Outdated

Potential fix for pull request finding

f774c29

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

gaby requested a review from Copilot April 23, 2026 14:38

Copilot finished work on behalf of gaby April 23, 2026 14:39

Copilot started reviewing on behalf of gaby April 23, 2026 14:49 View session

Copilot AI reviewed Apr 23, 2026

View reviewed changes

Comment thread res.go

Comment thread res.go Outdated

Comment thread ctx_test.go

gaby and others added 2 commits April 23, 2026 19:00

Potential fix for pull request finding

b3f1d9e

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Potential fix for pull request finding

46e2cd9

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Claude started work on behalf of gaby April 23, 2026 23:20 View session

Claude finished work on behalf of gaby April 23, 2026 23:21

Claude started work on behalf of ReneWerner87 April 24, 2026 08:01 View session

Claude finished work on behalf of ReneWerner87 April 24, 2026 08:04

Claude AI requested a review from ReneWerner87 April 24, 2026 08:04

ReneWerner87 added the 🔍 Under Investigation label Apr 24, 2026

ReneWerner87 merged commit 771b689 into main Apr 25, 2026
24 checks passed

ReneWerner87 deleted the claude/fix-xss-raw-html-escaping branch April 25, 2026 06:47

github-project-automation Bot moved this from In Progress to Done in v3 Apr 25, 2026

ReneWerner87 removed the 🔍 Under Investigation label Apr 25, 2026

ReneWerner87 modified the milestones: v3, v3.2.0 Apr 25, 2026

Uh oh!

Conversation

Claude AI commented Apr 23, 2026 • edited by gaby Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Changes introduced

Type of change

Checklist

Uh oh!

codecov Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gaby commented Apr 23, 2026

Uh oh!

Copilot AI commented Apr 23, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gaby commented Apr 23, 2026

Uh oh!

Claude AI commented Apr 23, 2026

Uh oh!

gaby commented Apr 24, 2026

Uh oh!

ReneWerner87 commented Apr 24, 2026

Uh oh!

Claude AI commented Apr 24, 2026

Uh oh!

ReneWerner87 commented Apr 24, 2026

Uh oh!

ReneWerner87 commented Apr 24, 2026

Uh oh!

ReneWerner87 commented Apr 25, 2026

Uh oh!

Uh oh!

welcome Bot commented Apr 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Claude AI commented Apr 23, 2026 •

edited by gaby

Loading

codecov Bot commented Apr 23, 2026 •

edited

Loading