Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

html/template: JS context breaks after a quoted </script> #43730

Open
maraino opened this issue Jan 15, 2021 · 3 comments
Open

html/template: JS context breaks after a quoted </script> #43730

maraino opened this issue Jan 15, 2021 · 3 comments

Comments

@maraino
Copy link

@maraino maraino commented Jan 15, 2021

What version of Go are you using (go version)?

$ go version
go version go1.15.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

darwin/amd64

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/mariano/Library/Caches/go-build"
GOENV="/Users/mariano/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/mariano/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/mariano/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.15.6/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.15.6/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/6g/rqtbx_fd6ljgvql610mhh7sr0000gn/T/go-build388033793=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

The existence of a tag </script> inside a Javascript string breaks the context and can cause code injection.

In the following example, the first variable is properly quoted, but the variables after "</script>", are not treated as Javascript string, and the go representation is displayed

https://play.golang.org/p/_XqZ3NtXYVE

What did you expect to see?

<script>var b = {"foo": "foo", "script": "</script>", "bar": "bar"}</script>

What did you see instead?

<script>var b = {"foo": "foo", "script": "</script>", "bar": bar}</script>
@seankhliao seankhliao changed the title html/template JS context breaks after a quoted </script> html/template: JS context breaks after a quoted </script> Jan 15, 2021
@soroushj
Copy link

@soroushj soroushj commented Jan 17, 2021

This is the expected behavior. To get your expected result, you should use something like "<" + "/script>" or "<\/script>" instead of "</script>".

@opennota
Copy link

@opennota opennota commented Jan 18, 2021

Browsers behave the same way.

@maraino
Copy link
Author

@maraino maraino commented Jan 20, 2021

I've checked, and yes, browsers behave the same way. I suppose we can close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants