diff options
author | Roland Shoemaker <bracewell@google.com> | 2023-04-13 15:40:44 -0700 |
---|---|---|
committer | Carlos Amedee <carlos@golang.org> | 2023-05-02 16:32:02 +0000 |
commit | 090590fdccc8442728aa31601927da1bf2ef1288 (patch) | |
tree | 302c0178f028fc677b2bcfaeb578b2e990424ecf | |
parent | 25b4f4062589a349117aaf52edf8db8ffa68773b (diff) | |
download | go-git-090590fdccc8442728aa31601927da1bf2ef1288.tar.gz |
[release-branch.go1.20] html/template: disallow angle brackets in CSS values
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
For #59720
Fixes #59812
Fixes CVE-2023-24539
Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491336
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-rw-r--r-- | src/html/template/css.go | 2 | ||||
-rw-r--r-- | src/html/template/css_test.go | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/src/html/template/css.go b/src/html/template/css.go index 890a0c6b22..f650d8b3e8 100644 --- a/src/html/template/css.go +++ b/src/html/template/css.go @@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { // inside a string that might embed JavaScript source. for i, c := range b { switch c { - case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': + case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': return filterFailsafe case '-': // Disallow <!-- or -->. diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go index a735638b03..2b76256a76 100644 --- a/src/html/template/css_test.go +++ b/src/html/template/css_test.go @@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, {`-expre\0000073sion`, "-expre\x073sion"}, {`@import url evil.css`, "ZgotmplZ"}, + {"<", "ZgotmplZ"}, + {">", "ZgotmplZ"}, } for _, test := range tests { got := cssValueFilter(test.css) |