html/template: emit filterFailsafe for empty unquoted attr value - go - Fork of Go programming language with my patches.

diff options

author	Roland Shoemaker <bracewell@google.com>	2023-04-13 14:01:50 -0700
committer	Carlos Amedee <carlos@golang.org>	2023-05-02 19:42:28 +0000
commit	0d347544cbca0f42b160424f6bc2458ebcc7b3fc (patch)
tree	bc11f07a19ca44fe318fcebb1450e71fc20f3abe /src/runtime/stack.go
parent	a32232cb18ed07496ec77c1cf2dcefa1cb0ac057 (diff)
download	go-0d347544cbca0f42b160424f6bc2458ebcc7b3fc.tar.xz

html/template: emit filterFailsafe for empty unquoted attr value

An unquoted action used as an attribute value can result in unsafe behavior if it is empty, as HTML normalization will result in unexpected attributes, and may allow attribute injection. If executing a template results in a empty unquoted attribute value, emit filterFailsafe instead. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #59722 Fixes CVE-2023-29400 Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491617 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

Diffstat (limited to 'src/runtime/stack.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: