diff options
| author | Roland Shoemaker <bracewell@google.com> | 2026-01-09 11:12:01 -0800 |
|---|---|---|
| committer | Cherry Mui <cherryyz@google.com> | 2026-03-05 17:05:07 -0800 |
| commit | fb16297ae571a232e46a67e6e40027f1f82ef6ec (patch) | |
| tree | b7e6af55fa6024240fa080981913cb47834e560e /src/html/template/element_string.go | |
| parent | 36d8b15842748194c4a2ce7e9cf46c65a958283c (diff) | |
| download | go-fb16297ae571a232e46a67e6e40027f1f82ef6ec.tar.xz | |
html/template: properly escape URLs in meta content attributes
The meta tag can include a content attribute that contains URLs, which
we currently don't escape if they are inserted via a template action.
This can plausibly lead to XSS vulnerabilities if untrusted data is
inserted there, the http-equiv attribute is set to "refresh", and the
content attribute contains an action like `url={{.}}`.
Track whether we are inside of a meta element, if we are inside of a
content attribute, _and_ if the content attribute contains "url=". If
all of those are true, then we will apply the same URL escaping that we
use elsewhere.
Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this
escaping for cases where this behavior is considered safe. The behavior
can be disabled by setting htmlmetacontenturlescape=0.
Fixes CVE-2026-27142
Fixes #77954
Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752181
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Diffstat (limited to 'src/html/template/element_string.go')
| -rw-r--r-- | src/html/template/element_string.go | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/html/template/element_string.go b/src/html/template/element_string.go index db286655aa..bdf9da7b9d 100644 --- a/src/html/template/element_string.go +++ b/src/html/template/element_string.go @@ -13,11 +13,12 @@ func _() { _ = x[elementStyle-2] _ = x[elementTextarea-3] _ = x[elementTitle-4] + _ = x[elementMeta-5] } -const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle" +const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta" -var _element_index = [...]uint8{0, 11, 24, 36, 51, 63} +var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74} func (i element) String() string { if i >= element(len(_element_index)-1) { |