Skip to content

x/net/html: text nodes outside of the HTML namespace improperly rendered #61615

New issue
New issue
Closed
Closed
x/net/html: text nodes outside of the HTML namespace improperly rendered#61615
Assignees
neild
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
Unreleased
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Jul 27, 2023

Text nodes not in the HTML namespace were being incorrectly literally rendered, causing text which should've been escaped to not be. This could lead to an XSS attack.

This is a PRIVATE issue for CVE-2023-3978, tracked in http://b/289177674 and fixed by http://tg/1942896.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions