html/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output #19669
The following template:
produces the following HTML output when executed with
This happens because:
In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.
Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.
The text was updated successfully, but these errors were encountered:
The idea initially was to allow switching between a few equivalence sets
so it might be worth not including the feature in strict mode or limiting it somehow.
is high impact but low frequency if we're correct about our design assumption that template authors are acting in good-faith, so this is definitely bug, but not super high priority.
I definitely plan to disallow this feature in my wrapper package.
I agree that this bug is unlikely to occur if we assuming benign developers. Do you have a sense of how we should go about fixing this? The only two solutions I see are either disallowing this feature completely, or adding another escaping pass.