Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[release-branch.go1.20] html/template: emit filterFailsafe for empty …
…unquoted attr value An unquoted action used as an attribute value can result in unsafe behavior if it is empty, as HTML normalization will result in unexpected attributes, and may allow attribute injection. If executing a template results in a empty unquoted attribute value, emit filterFailsafe instead. Thanks to Juho Nurminen of Mattermost for reporting this issue. For golang#59722 Fixes golang#59816 Fixes CVE-2023-29400 Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851494 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491358 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
- Loading branch information