diff options
| author | Roland Shoemaker <bracewell@google.com> | 2026-01-09 11:12:01 -0800 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-03-05 16:12:49 -0800 |
| commit | 994692847a2cd3efd319f0cb61a07c0012c8a4ff (patch) | |
| tree | 6420c79163711856095efff03655727438064651 /src/html/template/state_string.go | |
| parent | 65c7d7a9fb3a9d1fbf1e702a211b8cc3a7bedb53 (diff) | |
| download | go-994692847a2cd3efd319f0cb61a07c0012c8a4ff.tar.xz | |
[release-branch.go1.26] html/template: properly escape URLs in meta content attributes
The meta tag can include a content attribute that contains URLs, which
we currently don't escape if they are inserted via a template action.
This can plausibly lead to XSS vulnerabilities if untrusted data is
inserted there, the http-equiv attribute is set to "refresh", and the
content attribute contains an action like `url={{.}}`.
Track whether we are inside of a meta element, if we are inside of a
content attribute, _and_ if the content attribute contains "url=". If
all of those are true, then we will apply the same URL escaping that we
use elsewhere.
Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this
escaping for cases where this behavior is considered safe. The behavior
can be disabled by setting htmlmetacontenturlescape=0.
Updates #77954
Fixes #77972
Fixes CVE-2026-27142
Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752081
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Diffstat (limited to 'src/html/template/state_string.go')
| -rw-r--r-- | src/html/template/state_string.go | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go index eed1e8bcc0..f5a70b2231 100644 --- a/src/html/template/state_string.go +++ b/src/html/template/state_string.go @@ -36,12 +36,14 @@ func _() { _ = x[stateCSSBlockCmt-25] _ = x[stateCSSLineCmt-26] _ = x[stateError-27] - _ = x[stateDead-28] + _ = x[stateMetaContent-28] + _ = x[stateMetaContentURL-29] + _ = x[stateDead-30] } -const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" +const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateMetaContentstateMetaContentURLstateDead" -var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 356} +var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 363, 382, 391} func (i state) String() string { if i >= state(len(_state_index)-1) { |