Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

html/template: URL auto-escaper may produce invalid markup #19205

Closed
moshee opened this issue Feb 20, 2017 · 4 comments

Comments

Projects
None yet
6 participants
@moshee
Copy link

commented Feb 20, 2017

What version of Go are you using (go version)?

go version go1.8 linux/amd64

What operating system and processor architecture are you using (go env)?

Any environment.

What did you do?

https://play.golang.org/p/vkxq91HMhf

What did you expect to see?

The template produces fully valid markup, i.e. <a href="http://www.example.com/%5B%5D">a</a>, as if using url.PathEscape.

What did you see instead?

The square brackets remain unescaped in the path. According to the W3 Validator, this is invalid:

screen shot 2017-02-20 at 11 04 59 am

@bradfitz bradfitz added this to the Go1.9Maybe milestone Mar 21, 2017

@odeke-em

This comment has been minimized.

Copy link
Member

commented Apr 29, 2017

@rsc do you think there might be some security implications in changing this?

@bradfitz bradfitz modified the milestones: Go1.9Maybe, Go1.10 Jul 20, 2017

@odeke-em

This comment has been minimized.

Copy link
Member

commented Aug 14, 2017

@mikesamuel

This comment has been minimized.

Copy link
Contributor

commented Aug 14, 2017

Square brackets are allowed in URIs as in IPv6 numeric hosts per RFC 6874.

IP-literal = "[" ( IPv6address / IPv6addrz / IPvFuture  ) "]"

so we ought not fix this by breaking https://play.golang.org/p/ZO713Uf8_Z

`<a href="http://{{ . }}/">a</a>`

The template produces fully valid markup

This is impossible for URIs without non-local reasoning. For example,

template.New("asdf")
    .Parse(`<a href="{{if .IsHost}}http://{{end}}{{.UrlPart}}{{if .IsHost}}/{{end}}">`)

In this instance, we would need to either

  • have the escaping directive know about the context based on information available at runtime
  • do a second pass at the end of the href value to fixup the URL.

Unless there are security consequences to not validating here, I would leave as-is.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Dec 8, 2017

It sounds like we shouldn't make any change here. Closing. Please comment if you disagree.

@golang golang locked and limited conversation to collaborators Dec 8, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.