]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: c3c53a2) | patch
[release-branch.go1.19] html/template: disallow angle brackets in CSS values
authorRoland Shoemaker <bracewell@google.com>
Thu, 13 Apr 2023 22:40:44 +0000 (15:40 -0700)
committerCarlos Amedee <carlos@golang.org>
Tue, 2 May 2023 16:31:51 +0000 (16:31 +0000)
commite49282327b05192e46086bf25fd3ac691205fe80
tree026cc1d3694455827c99fbfacb020ad7ac7d4841tree
parentc3c53a2c67f6f851ef974d54db1cc0d4d0ee6f75commit | diff
[release-branch.go1.19] html/template: disallow angle brackets in CSS values

Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For #59720
Fixes #59811
Fixes CVE-2023-24539

Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491335
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
src/html/template/css.go diff | blob | history
src/html/template/css_test.go diff | blob | history
Go GOST TLS 1.3