From fb16297ae571a232e46a67e6e40027f1f82ef6ec Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Fri, 9 Jan 2026 11:12:01 -0800 Subject: html/template: properly escape URLs in meta content attributes The meta tag can include a content attribute that contains URLs, which we currently don't escape if they are inserted via a template action. This can plausibly lead to XSS vulnerabilities if untrusted data is inserted there, the http-equiv attribute is set to "refresh", and the content attribute contains an action like `url={{.}}`. Track whether we are inside of a meta element, if we are inside of a content attribute, _and_ if the content attribute contains "url=". If all of those are true, then we will apply the same URL escaping that we use elsewhere. Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this escaping for cases where this behavior is considered safe. The behavior can be disabled by setting htmlmetacontenturlescape=0. Fixes CVE-2026-27142 Fixes #77954 Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 Reviewed-by: Neal Patel Reviewed-by: Nicholas Husin Reviewed-on: https://go-review.googlesource.com/c/go/+/752181 Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI --- src/internal/godebugs/table.go | 1 + 1 file changed, 1 insertion(+) (limited to 'src/internal') diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go index 10c4eb715e..5e33a0b0f3 100644 --- a/src/internal/godebugs/table.go +++ b/src/internal/godebugs/table.go @@ -39,6 +39,7 @@ var All = []Info{ {Name: "gocachetest", Package: "cmd/go"}, {Name: "gocacheverify", Package: "cmd/go"}, {Name: "gotestjsonbuildtext", Package: "cmd/go", Changed: 24, Old: "1"}, + {Name: "htmlmetacontenturlescape", Package: "html/template"}, {Name: "http2client", Package: "net/http"}, {Name: "http2debug", Package: "net/http", Opaque: true}, {Name: "http2server", Package: "net/http"}, -- cgit v1.3-5-g45d5