html/template: errors returned from MarshalJSON are not correctly escaped

[rolandshoemaker]

If a type passed to the template action has a JSON marshaller, and that MarshalJSON method fails, the returned error is inserted into the template inside of a comment. In order to avoid cases where that error contains user content, which may itself contain a closing comment token (*/), we do a find/replace for comment tokens and replace them with * /.

This doesn't take into account the confusing handling of closing script, and comment tags (</script and <!-- respectively), which may also be present in user content. We can fix this by treating these tags the same way we do elsewhere in the script context, by taking the HTML specification recommendation and replacing them with \x3C/script and \x3C!-- in the same way we are currently handling closing comment tokens.

e.g. https://go.dev/play/p/gjCDVopt-zc

Thanks to RyotaK (@Ry0taK) for reporting this issue.

[gopherbot]

Change https://go.dev/cl/564196 mentions this issue: html/template: escape additional tokens in MarshalJSON errors

[rolandshoemaker]

@gopherbot please open backport issues, this is a PUBLIC track security issue.

[gopherbot]

Backport issue(s) opened: #65968 (for 1.21), #65969 (for 1.22).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/567515 mentions this issue: [release-branch.go1.21] html/template: escape additional tokens in MarshalJSON errors

[gopherbot]

Change https://go.dev/cl/567535 mentions this issue: [release-branch.go1.22] html/template: escape additional tokens in MarshalJSON errors