html/template: improper handling of JavaScript whitespace

[rolandshoemaker]

Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #59813 (for 1.19), #59814 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/491355 mentions this issue: [release-branch.go1.19] html/template: handle all JS whitespace characters

[gopherbot]

Change https://go.dev/cl/491356 mentions this issue: [release-branch.go1.20] html/template: handle all JS whitespace characters

[gopherbot]

Change https://go.dev/cl/491616 mentions this issue: html/template: handle all JS whitespace characters