]> Cypherpunks.ru repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: f4a8bf1) | patch
text/template: harden JSEscape to also escape ampersand and equal
authorRoberto Clapis <robclap8@gmail.com>
Mon, 18 Nov 2019 09:05:07 +0000 (10:05 +0100)
committerFilippo Valsorda <filippo@golang.org>
Thu, 21 Nov 2019 22:20:17 +0000 (22:20 +0000)
commit94e9a5e19b831504eca2b7202b78d1a48c4be547
tree6ac7a10d3644bf3efa6b026f4eb9b817fa6b15b4tree
parentf4a8bf128364e852cff87cf404a5c16c457ef8f6commit | diff
text/template: harden JSEscape to also escape ampersand and equal

Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.

This change makes it harder to introduce XSS by misusing
escaping.

Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.

Fixes #35665

Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
src/html/template/example_test.go diff | blob | history
src/text/template/exec_test.go diff | blob | history
src/text/template/funcs.go diff | blob | history
Go GOST TLS 1.3