Skip to content

html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) #62196

New issue
New issue
Closed
Closed
html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)#62196
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.22
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Aug 21, 2023

The html/template package did not properly handle HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.

This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

This is a PRIVATE issue for CVE-2023-39318, tracked in http://b/293889520 and fixed by http://tg/c/1976593.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions