html/template: incorrect parsing of script element with CDATA tag since 1.21.1 #63464
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes, it does. The script parses correctly using go1.21.0
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I have a Golang service which is parsing templates generated on the fly by a npm/gulp backend for the purposes of development. One of the packages in use in the node side is browsersync, which injects a script into the top of the body of the page. This script is encapsulated in CDATA tags.
A simple reproduction is available here: https://go.dev/play/p/zDDuftHipgG
This issue appears to have been caused by this commit: bbd043f
And is related to this security issue: #62197
The commit author does mention that this change will break some legitimate code, but I believe that breaking CDATA tags is a significant enough issue that it should not be ignored.
What did you expect to see?
The template parse and execute correctly.
What did you see instead?
The execution fails with the error:
The text was updated successfully, but these errors were encountered: