Skip to content

x/net/html: text nodes outside of the HTML namespace improperly rendered #61615

@rolandshoemaker

Description

@rolandshoemaker

Text nodes not in the HTML namespace were being incorrectly literally rendered, causing text which should've been escaped to not be. This could lead to an XSS attack.

This is a PRIVATE issue for CVE-2023-3978, tracked in http://b/289177674 and fixed by http://tg/1942896.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions