golang/go

html/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output

Open

#19,669 opened on Mar 23, 2017

View on GitHub
 (7 comments) (0 reactions) (0 assignees)Go (19,008 forks)batch import
NeedsFixhelp wanted

Repository metrics

Stars
 (133,883 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

The following template:

<s{{.X}}>alert('pwned')</script>

produces the following HTML output when executed with X = "cript":

<script>alert('pwned')</script>

This happens because:

  • During HTML parsing/escaping time, the parser interprets "s" as the tag name, since the rest of the tagname will only be evaluated at execution-time. This causes the escaper to transition into the plain-text state, rather than the JS state, inside the script element body.
  • During execution time, the htmlNameFilter inserted into {{.X}} (i.e. {{.X | _html_template_htmlnamefilter) sees the text value "cript", deems that it is a safe HTML tag/attribute name, and renders it as-is.

In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.

Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.

Contributor guide