-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output #19669
Comments
The idea initially was to allow switching between a few equivalence sets
so it might be worth not including the feature in strict mode or limiting it somehow. I think
is high impact but low frequency if we're correct about our design assumption that template authors are acting in good-faith, so this is definitely bug, but not super high priority. |
I definitely plan to disallow this feature in my wrapper package.
I agree that this bug is unlikely to occur if we assuming benign developers. Do you have a sense of how we should go about fixing this? The only two solutions I see are either disallowing this feature completely, or adding another escaping pass. |
ping @stjj89 @mikesamuel What is the status of this? Thanks. |
As per Mike's comment, the probability of this being an issue might be low enough that it is not worth fixing preemptively. We can probably shelve this and revisit it in the future if it proves to be an issue. |
Thanks. |
The following template:
produces the following HTML output when executed with
X = "cript"
:This happens because:
{{.X}}
(i.e.{{.X | _html_template_htmlnamefilter
) sees the text value"cript"
, deems that it is a safe HTML tag/attribute name, and renders it as-is.In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.
Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.
The text was updated successfully, but these errors were encountered: