Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Thu, 13 Apr 2023 21:01:50 +0000 (14:01 -0700)
committer	Carlos Amedee <carlos@golang.org>
	Tue, 2 May 2023 19:42:28 +0000 (19:42 +0000)
commit	0d347544cbca0f42b160424f6bc2458ebcc7b3fc
tree	bc11f07a19ca44fe318fcebb1450e71fc20f3abe	tree
parent	a32232cb18ed07496ec77c1cf2dcefa1cb0ac057	commit \| diff

html/template: emit filterFailsafe for empty unquoted attr value

An unquoted action used as an attribute value can result in unsafe
behavior if it is empty, as HTML normalization will result in unexpected
attributes, and may allow attribute injection. If executing a template
results in a empty unquoted attribute value, emit filterFailsafe
instead.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Fixes #59722
Fixes CVE-2023-29400

Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491617
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

src/html/template/escape.go		diff \| blob \| history
src/html/template/escape_test.go		diff \| blob \| history
src/html/template/html.go		diff \| blob \| history