diff options
| author | Roland Shoemaker <bracewell@google.com> | 2023-04-13 15:40:44 -0700 |
|---|---|---|
| committer | Carlos Amedee <carlos@golang.org> | 2023-05-02 19:38:18 +0000 |
| commit | 8673ca81e5340b87709db2d9749c92a3bf925df1 (patch) | |
| tree | f89c4dd672281f18af8e7fa17c70b8ea18fe583f /src/html/template/css.go | |
| parent | 72ba91902a39abb47ee9681319d517d4413e3b65 (diff) | |
| download | go-8673ca81e5340b87709db2d9749c92a3bf925df1.tar.xz | |
html/template: disallow angle brackets in CSS values
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Fixes #59720
Fixes CVE-2023-24539
Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Diffstat (limited to 'src/html/template/css.go')
| -rw-r--r-- | src/html/template/css.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/html/template/css.go b/src/html/template/css.go index 890a0c6b22..f650d8b3e8 100644 --- a/src/html/template/css.go +++ b/src/html/template/css.go @@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { // inside a string that might embed JavaScript source. for i, c := range b { switch c { - case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': + case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': return filterFailsafe case '-': // Disallow <!-- or -->. |