Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html/template: JS context breaks after a quoted </script> #43730

Open
maraino opened this issue Jan 15, 2021 · 3 comments
Open

html/template: JS context breaks after a quoted </script> #43730

maraino opened this issue Jan 15, 2021 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@maraino
Copy link

maraino commented Jan 15, 2021

What version of Go are you using (go version)?

$ go version
go version go1.15.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

darwin/amd64

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/mariano/Library/Caches/go-build"
GOENV="/Users/mariano/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/mariano/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/mariano/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.15.6/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.15.6/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/6g/rqtbx_fd6ljgvql610mhh7sr0000gn/T/go-build388033793=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

The existence of a tag </script> inside a Javascript string breaks the context and can cause code injection.

In the following example, the first variable is properly quoted, but the variables after "</script>", are not treated as Javascript string, and the go representation is displayed

https://play.golang.org/p/_XqZ3NtXYVE

What did you expect to see?

<script>var b = {"foo": "foo", "script": "</script>", "bar": "bar"}</script>

What did you see instead?

<script>var b = {"foo": "foo", "script": "</script>", "bar": bar}</script>
@seankhliao seankhliao changed the title html/template JS context breaks after a quoted </script> html/template: JS context breaks after a quoted </script> Jan 15, 2021
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 15, 2021
@soroushj
Copy link

This is the expected behavior. To get your expected result, you should use something like "<" + "/script>" or "<\/script>" instead of "</script>".

@ghost
Copy link

ghost commented Jan 18, 2021

Browsers behave the same way.

@maraino
Copy link
Author

maraino commented Jan 20, 2021

I've checked, and yes, browsers behave the same way. I suppose we can close this issue.

@seankhliao seankhliao added this to the Unplanned milestone Aug 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
3 participants
@maraino @soroushj @seankhliao