From a9db31e6d9f280418ce441067f3f9dc0a036e770 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Fri, 9 Jan 2026 11:12:01 -0800 Subject: [release-branch.go1.25] html/template: properly escape URLs in meta content attributes The meta tag can include a content attribute that contains URLs, which we currently don't escape if they are inserted via a template action. This can plausibly lead to XSS vulnerabilities if untrusted data is inserted there, the http-equiv attribute is set to "refresh", and the content attribute contains an action like `url={{.}}`. Track whether we are inside of a meta element, if we are inside of a content attribute, _and_ if the content attribute contains "url=". If all of those are true, then we will apply the same URL escaping that we use elsewhere. Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this escaping for cases where this behavior is considered safe. The behavior can be disabled by setting htmlmetacontenturlescape=0. Updates #77954 Fixes #77971 Fixes CVE-2026-27142 Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 Reviewed-by: Neal Patel Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3644 Reviewed-by: Damien Neil Commit-Queue: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/752101 Auto-Submit: Gopher Robot TryBot-Bypass: Gopher Robot Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui --- src/html/template/element_string.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/html/template/element_string.go') diff --git a/src/html/template/element_string.go b/src/html/template/element_string.go index db286655aa..bdf9da7b9d 100644 --- a/src/html/template/element_string.go +++ b/src/html/template/element_string.go @@ -13,11 +13,12 @@ func _() { _ = x[elementStyle-2] _ = x[elementTextarea-3] _ = x[elementTitle-4] + _ = x[elementMeta-5] } -const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle" +const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta" -var _element_index = [...]uint8{0, 11, 24, 36, 51, 63} +var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74} func (i element) String() string { if i >= element(len(_element_index)-1) { -- cgit v1.3