golang/go

html/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output

Open

#19.669 aberto em 23 de mar. de 2017

Ver no GitHub
 (7 comments) (0 reactions) (0 assignees)Go (19.008 forks)batch import
NeedsFixhelp wanted

Métricas do repositório

Stars
 (133.883 stars)
Métricas de merge de PR
 (Nenhuma PRs mesclada em 30d)

Description

The following template:

<s{{.X}}>alert('pwned')</script>

produces the following HTML output when executed with X = "cript":

<script>alert('pwned')</script>

This happens because:

  • During HTML parsing/escaping time, the parser interprets "s" as the tag name, since the rest of the tagname will only be evaluated at execution-time. This causes the escaper to transition into the plain-text state, rather than the JS state, inside the script element body.
  • During execution time, the htmlNameFilter inserted into {{.X}} (i.e. {{.X | _html_template_htmlnamefilter) sees the text value "cript", deems that it is a safe HTML tag/attribute name, and renders it as-is.

In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.

Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.

Guia do colaborador