Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/html: text nodes outside of the HTML namespace improperly rendered #61615

Closed
rolandshoemaker opened this issue Jul 27, 2023 · 1 comment
Closed

x/net/html: text nodes outside of the HTML namespace improperly rendered #61615

rolandshoemaker opened this issue Jul 27, 2023 · 1 comment
Assignees
@neild
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Jul 27, 2023
edited

Text nodes not in the HTML namespace were being incorrectly literally rendered, causing text which should've been escaped to not be. This could lead to an XSS attack.

This is a PRIVATE issue for CVE-2023-3978, tracked in http://b/289177674 and fixed by http://tg/1942896.

/cc @golang/security and @golang/release
@rolandshoemaker rolandshoemaker added Security NeedsFix The path to resolution is known, but the work has not been done. labels Jul 27, 2023
@gopherbot
Copy link

Change https://go.dev/cl/514896 mentions this issue: html: only render content literally in the HTML namespace

@rolandshoemaker rolandshoemaker changed the title security: fix CVE-2023-3978 x/net/html: text nodes outside of the HTML namespace improperly rendered Aug 1, 2023
@neild neild self-assigned this Aug 1, 2023
@dmitshur dmitshur added this to the Unreleased milestone Aug 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@neild @dmitshur @rolandshoemaker @gopherbot and others