diff options
| author | Roberto Clapis <robclap8@gmail.com> | 2019-11-18 10:05:07 +0100 |
|---|---|---|
| committer | Filippo Valsorda <filippo@golang.org> | 2019-11-21 22:20:17 +0000 |
| commit | 94e9a5e19b831504eca2b7202b78d1a48c4be547 (patch) | |
| tree | 6ac7a10d3644bf3efa6b026f4eb9b817fa6b15b4 /src/text | |
| parent | f4a8bf128364e852cff87cf404a5c16c457ef8f6 (diff) | |
| download | go-94e9a5e19b831504eca2b7202b78d1a48c4be547.tar.gz go-94e9a5e19b831504eca2b7202b78d1a48c4be547.zip | |
text/template: harden JSEscape to also escape ampersand and equal
Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.
This change makes it harder to introduce XSS by misusing
escaping.
Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.
Fixes #35665
Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
Diffstat (limited to 'src/text')
| -rw-r--r-- | src/text/template/exec_test.go | 2 | ||||
| -rw-r--r-- | src/text/template/funcs.go | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go index 2b299b0bf6..aa5cd4c552 100644 --- a/src/text/template/exec_test.go +++ b/src/text/template/exec_test.go @@ -909,6 +909,8 @@ func TestJSEscaping(t *testing.T) { {`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`}, {"unprintable \uFDFF", `unprintable \uFDFF`}, {`<html>`, `\x3Chtml\x3E`}, + {`no = in attributes`, `no \x3D in attributes`}, + {`' does not become HTML entity`, `\x26#x27; does not become HTML entity`}, } for _, tc := range testCases { s := JSEscapeString(tc.in) diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go index 0985eda317..0568c798a8 100644 --- a/src/text/template/funcs.go +++ b/src/text/template/funcs.go @@ -642,6 +642,8 @@ var ( jsQuot = []byte(`\"`) jsLt = []byte(`\x3C`) jsGt = []byte(`\x3E`) + jsAmp = []byte(`\x26`) + jsEq = []byte(`\x3D`) ) // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. @@ -670,6 +672,10 @@ func JSEscape(w io.Writer, b []byte) { w.Write(jsLt) case '>': w.Write(jsGt) + case '&': + w.Write(jsAmp) + case '=': + w.Write(jsEq) default: w.Write(jsLowUni) t, b := c>>4, c&0x0f @@ -704,7 +710,7 @@ func JSEscapeString(s string) string { func jsIsSpecial(r rune) bool { switch r { - case '\\', '\'', '"', '<', '>': + case '\\', '\'', '"', '<', '>', '&', '=': return true } return r < ' ' || utf8.RuneSelf <= r |