x/pkgsite: XSS possible (?) by injecting HTML into Example output #46661
Labels
FrozenDueToAge
pkgsite/frontend
Issues related to pkgsite HTML/CSS/JavaScript and frontend development
pkgsite
Milestone
What is the URL of the page with the issue?
https://pkg.go.dev/github.com/maragudk/gomponents#Attr
What is your user agent?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Safari/605.1.15
Screenshot
What did you do?
I'm building a library to render HTML. I have some examples in the test code, that render a string like
<input required>
(in the screenshot).What did you expect to see?
I expected the example output to be
<input required>
(as a string). It is on the first screenshot, but press the Run button, and there is no string.What did you see instead?
Instead, there's an HTML
input
field, which means that the output string isn't being properly escaped.The text was updated successfully, but these errors were encountered: