Open larschri opened 4 months ago
Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.
Description of the false positive
A simple, valid e-mail address inside an e-mail message triggers https://codeql.github.com/codeql-query-help/go/go-email-injection/
The rule also triggers on valid html, although the security model in
html/template
should make it safe.Code samples
Another example where
html/template
takes care of escaping the html content.