html: UnescapeString unescapes HTML character references without a final semicolon in an attribute #40320
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
toothrot
added
the
NeedsInvestigation
|
/cc @mikesamuel @empijei |
|
This is interesting and it indeed looks like a bug, thanks for reporting. My only concern with fixing it is that browsers have the tendency of adjusting invalid encodings/HTML to try and display something, even if it doesn't match the markup they received. The consequence of this is that if we leave incomplete encodings in the decoded output we might risk to introduce some mutation-based XSS. I need to investigate a bit more on this to see if there are security risks in addressing it. |
|
thanks for looking! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env)?What did you do?
this is related to #21563
https://play.golang.com/p/Fh08ftsK9YQ
pass the string "<a href=example.com?param=value×tamp=123>link" to html.UnescapeString
What did you expect to see?
according to https://html.spec.whatwg.org/multipage/parsing.html#character-reference-state
in an attribute, no character reference is parsed and string remains intact
it seems like an attempt was made to do this, but attribute is a constant?
https://golang.org/src/html/escape.go?s=1296:1319#L57
https://golang.org/src/html/escape.go?s=3112:3194#L142
I would expect the same string to come back
What did you see instead?
× is changed to ×
The text was updated successfully, but these errors were encountered: