text/template: limit expression parenthesis nesting - go - Fork of Go programming language with my patches.

diff options

author	Ville Vesilehto <ville@vesilehto.fi>	2025-05-14 18:16:54 +0000
committer	Gopher Robot <gobot@golang.org>	2025-05-17 03:27:48 -0700
commit	42f9ee904caf6681ee32e7b048f15ab7cddf3eb3 (patch)
tree	dba6ef2dd28748581ba950cea159801160154797 /src/bytes/buffer_test.go
parent	6425749695130f2032ac9cfdf5407b6a322534db (diff)
download	go-42f9ee904caf6681ee32e7b048f15ab7cddf3eb3.tar.xz

text/template: limit expression parenthesis nesting

Deeply nested parenthesized expressions could cause a stack overflow during parsing. This change introduces a depth limit (maxStackDepth) tracked in Tree.stackDepth to prevent this. Additionally, this commit clarifies the security model in the package documentation, noting that template authors are trusted as text/template does not auto-escape. Fixes #71201 Change-Id: Iab2c2ea6c193ceb44bb2bc7554f3fccf99a9542f GitHub-Last-Rev: f4ebd1719ff966ae3c6516e3fb935dfea2f5362e GitHub-Pull-Request: golang/go#73670 Reviewed-on: https://go-review.googlesource.com/c/go/+/671755 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> Auto-Submit: Sean Liao <sean@liao.dev> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Rob Pike <r@golang.org>

Diffstat (limited to 'src/bytes/buffer_test.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: