diff options
| author | Roland Shoemaker <bracewell@google.com> | 2023-04-13 15:40:44 -0700 |
|---|---|---|
| committer | Carlos Amedee <carlos@golang.org> | 2023-05-02 16:31:51 +0000 |
| commit | e49282327b05192e46086bf25fd3ac691205fe80 (patch) | |
| tree | 026cc1d3694455827c99fbfacb020ad7ac7d4841 | |
| parent | c3c53a2c67f6f851ef974d54db1cc0d4d0ee6f75 (diff) | |
| download | go-e49282327b05192e46086bf25fd3ac691205fe80.tar.gz go-e49282327b05192e46086bf25fd3ac691205fe80.zip | |
[release-branch.go1.19] html/template: disallow angle brackets in CSS values
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
For #59720
Fixes #59811
Fixes CVE-2023-24539
Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491335
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
| -rw-r--r-- | src/html/template/css.go | 2 | ||||
| -rw-r--r-- | src/html/template/css_test.go | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/src/html/template/css.go b/src/html/template/css.go index 890a0c6b22..f650d8b3e8 100644 --- a/src/html/template/css.go +++ b/src/html/template/css.go @@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { // inside a string that might embed JavaScript source. for i, c := range b { switch c { - case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': + case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': return filterFailsafe case '-': // Disallow <!-- or -->. diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go index a735638b03..2b76256a76 100644 --- a/src/html/template/css_test.go +++ b/src/html/template/css_test.go @@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, {`-expre\0000073sion`, "-expre\x073sion"}, {`@import url evil.css`, "ZgotmplZ"}, + {"<", "ZgotmplZ"}, + {">", "ZgotmplZ"}, } for _, test := range tests { got := cssValueFilter(test.css) |