We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Text nodes not in the HTML namespace were being incorrectly literally rendered, causing text which should've been escaped to not be. This could lead to an XSS attack.
This is a PRIVATE issue for CVE-2023-3978, tracked in http://b/289177674 and fixed by http://tg/1942896.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered:
Change https://go.dev/cl/514896 mentions this issue: html: only render content literally in the HTML namespace
html: only render content literally in the HTML namespace
Sorry, something went wrong.
No branches or pull requests