golang/go
Vedi su GitHubhtml/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output
Open
#19.669 aperta il 23 mar 2017
NeedsFixhelp wanted
Metriche repository
- Star
- (133.883 star)
- Metriche merge PR
- (Nessuna PR mergiata in 30 g)
Descrizione
The following template:
<s{{.X}}>alert('pwned')</script>
produces the following HTML output when executed with X = "cript":
<script>alert('pwned')</script>
This happens because:
- During HTML parsing/escaping time, the parser interprets "s" as the tag name, since the rest of the tagname will only be evaluated at execution-time. This causes the escaper to transition into the plain-text state, rather than the JS state, inside the script element body.
- During execution time, the htmlNameFilter inserted into
{{.X}}(i.e.{{.X | _html_template_htmlnamefilter) sees the text value"cript", deems that it is a safe HTML tag/attribute name, and renders it as-is.
In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.
Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.