x/pkgsite: XSS possible (?) by injecting HTML into Example output #46661
Labels
FrozenDueToAge
pkgsite/frontend
Issues related to pkgsite HTML/CSS/JavaScript and frontend development
pkgsite
Milestone
Comments
|
Change https://golang.org/cl/326349 mentions this issue: |
|
@jamalc cool with the quick turnaround time! |
|
@markuswustenberg, thank you for reporting! |
|
@jamalc, has this not been deployed yet? I'm still seeing the issue live on the site. |
|
We ran into an issue with our deploy yesterday. This fix is now live. |
|
Works perfectly. 😎 |
hyangah
added
the
pkgsite/frontend
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What is the URL of the page with the issue?
https://pkg.go.dev/github.com/maragudk/gomponents#Attr
What is your user agent?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Safari/605.1.15
Screenshot
What did you do?
I'm building a library to render HTML. I have some examples in the test code, that render a string like
<input required>(in the screenshot).What did you expect to see?
I expected the example output to be
<input required>(as a string). It is on the first screenshot, but press the Run button, and there is no string.What did you see instead?
Instead, there's an HTML
inputfield, which means that the output string isn't being properly escaped.The text was updated successfully, but these errors were encountered: