html/template: JS context breaks after a quoted </script> #43730
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?darwin/amd64
go env
OutputWhat did you do?
The existence of a tag
</script>
inside a Javascript string breaks the context and can cause code injection.In the following example, the first variable is properly quoted, but the variables after
"</script>"
, are not treated as Javascript string, and the go representation is displayedhttps://play.golang.org/p/_XqZ3NtXYVE
What did you expect to see?
What did you see instead?
The text was updated successfully, but these errors were encountered: