From 994692847a2cd3efd319f0cb61a07c0012c8a4ff Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Fri, 9 Jan 2026 11:12:01 -0800 Subject: [release-branch.go1.26] html/template: properly escape URLs in meta content attributes The meta tag can include a content attribute that contains URLs, which we currently don't escape if they are inserted via a template action. This can plausibly lead to XSS vulnerabilities if untrusted data is inserted there, the http-equiv attribute is set to "refresh", and the content attribute contains an action like `url={{.}}`. Track whether we are inside of a meta element, if we are inside of a content attribute, _and_ if the content attribute contains "url=". If all of those are true, then we will apply the same URL escaping that we use elsewhere. Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this escaping for cases where this behavior is considered safe. The behavior can be disabled by setting htmlmetacontenturlescape=0. Updates #77954 Fixes #77972 Fixes CVE-2026-27142 Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 Reviewed-by: Neal Patel Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643 Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/752081 Auto-Submit: Gopher Robot Reviewed-by: Cherry Mui TryBot-Bypass: Gopher Robot Reviewed-by: Dmitri Shuralyov --- src/html/template/escape.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/html/template/escape.go') diff --git a/src/html/template/escape.go b/src/html/template/escape.go index 1f963e61b4..d8e1b8cb54 100644 --- a/src/html/template/escape.go +++ b/src/html/template/escape.go @@ -166,6 +166,8 @@ func (e *escaper) escape(c context, n parse.Node) context { var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp") +var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape") + // escapeAction escapes an action template node. func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { if len(n.Pipe.Decl) != 0 { @@ -223,6 +225,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { default: panic(c.urlPart.String()) } + case stateMetaContent: + // Handled below in delim check. + case stateMetaContentURL: + if htmlmetacontenturlescape.Value() != "0" { + s = append(s, "_html_template_urlfilter") + } else { + // We don't have a great place to increment this, since it's hard to + // know if we actually escape any urls in _html_template_urlfilter, + // since it has no information about what context it is being + // executed in etc. This is probably the best we can do. + htmlmetacontenturlescape.IncNonDefault() + } case stateJS: s = append(s, "_html_template_jsvalescaper") // A slash after a value starts a div operator. -- cgit v1.3