How to Implement Input Validation and Sanitization in Go

Use html/template for automatic HTML escaping and filepath.IsLocal or os.OpenRoot for path validation to prevent injection and traversal attacks.

package main

import (
	"html/template"
	"os"
	"path/filepath"
)

func main() {
	// Sanitize HTML output
	tmpl := template.Must(template.New("safe").Parse("<p>{{.}}</p>"))
	tmpl.Execute(os.Stdout, "<script>alert('xss')</script>")

	// Validate file paths
	if !filepath.IsLocal("../../etc/passwd") {
		return // Reject traversal attempt
	}

	// Or use traversal-resistant root
	root, _ := os.OpenRoot("/safe/dir")
	defer root.Close()
	f, _ := root.Open("file.txt") // Safe from symlinks and ..
}

Input validation checks that user data matches expected rules before your program uses it, while sanitization cleans the data to remove dangerous characters. Think of it like a bouncer checking IDs at a club door and removing weapons before letting people inside. You use these techniques whenever you accept data from users, APIs, or files to prevent hackers from injecting malicious code or accessing unauthorized files.