html/template: JS context breaks after a quoted </script> #43730
Labels
Comments
This is the expected behavior. To get your expected result, you should use something like |
Browsers behave the same way. |
I've checked, and yes, browsers behave the same way. I suppose we can close this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?darwin/amd64
go env
OutputWhat did you do?
The existence of a tag
</script>
inside a Javascript string breaks the context and can cause code injection.In the following example, the first variable is properly quoted, but the variables after
"</script>"
, are not treated as Javascript string, and the go representation is displayedhttps://play.golang.org/p/_XqZ3NtXYVE
What did you expect to see?
What did you see instead?
The text was updated successfully, but these errors were encountered: