golang/go

html/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output

Open

#19.669 aperta il 23 mar 2017

Vedi su GitHub
 (7 commenti) (0 reazioni) (0 assegnatari)Go (19.008 fork)batch import
NeedsFixhelp wanted

Metriche repository

Star
 (133.883 star)
Metriche merge PR
 (Nessuna PR mergiata in 30 g)

Descrizione

The following template:

<s{{.X}}>alert('pwned')</script>

produces the following HTML output when executed with X = "cript":

<script>alert('pwned')</script>

This happens because:

  • During HTML parsing/escaping time, the parser interprets "s" as the tag name, since the rest of the tagname will only be evaluated at execution-time. This causes the escaper to transition into the plain-text state, rather than the JS state, inside the script element body.
  • During execution time, the htmlNameFilter inserted into {{.X}} (i.e. {{.X | _html_template_htmlnamefilter) sees the text value "cript", deems that it is a safe HTML tag/attribute name, and renders it as-is.

In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.

Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.

Guida contributor