golang/go

html/template: dynamic substrings in HTML tags or attributes can result in unsafe HTML output

Open

#19,669 创建于 2017年3月23日

在 GitHub 查看
 (7 评论) (0 反应) (0 负责人)Go (19,008 fork)batch import
NeedsFixhelp wanted

仓库指标

Star
 (133,883 star)
PR 合并指标
 (30 天内没有已合并 PR)

描述

The following template:

<s{{.X}}>alert('pwned')</script>

produces the following HTML output when executed with X = "cript":

<script>alert('pwned')</script>

This happens because:

  • During HTML parsing/escaping time, the parser interprets "s" as the tag name, since the rest of the tagname will only be evaluated at execution-time. This causes the escaper to transition into the plain-text state, rather than the JS state, inside the script element body.
  • During execution time, the htmlNameFilter inserted into {{.X}} (i.e. {{.X | _html_template_htmlnamefilter) sees the text value "cript", deems that it is a safe HTML tag/attribute name, and renders it as-is.

In general, allowing dynamic substrings in HTML tags or attributes may confuse the parser and escaper, since the static and dynamic parts of the name are handled in different phases.

Suggested solution: disallow dynamic substrings in HTML tags or attributes completely.

贡献者指南