html/template: reject dynamic substrings in attribute names#78523
Open
mohammadmseet-hue wants to merge 1 commit intogolang:masterfrom
Open
html/template: reject dynamic substrings in attribute names#78523mohammadmseet-hue wants to merge 1 commit intogolang:masterfrom
mohammadmseet-hue wants to merge 1 commit intogolang:masterfrom
Conversation
The html/template escaper determines the security context of HTML
attributes (URL, CSS, JS, event handler) based on the attribute name
parsed from static template text. When an attribute name is split
across a static text prefix and a dynamic template action suffix,
the escaper only sees the static prefix and assigns the wrong
security context.
For example, in the template:
<a hre{{.Suffix}}="{{.URL}}">
The escaper sees the static prefix "hre" and assigns contentTypePlain.
At execution time, if Suffix="f", the output is:
<a href="javascript:alert(1)">
The URL value bypasses the urlfilter and urlnormalizer pipeline
because the escaper never recognized this as a URL attribute.
This affects all security-sensitive attributes: href, src, action,
formaction, style, and event handlers (on*).
Fix: track when an attribute name in static text runs to the end of
a text node boundary without being followed by whitespace or ">".
In this case, set a partialName flag on the context. If a template
action is encountered while partialName is true, return an error
instead of applying the insufficient htmlNameFilter.
The partialName flag is:
- Set by tTag when eatAttrName consumes to end of text
- Cleared by tTag when whitespace is encountered (name is complete)
- Cleared by tAttrName when the name ends within the text
- Cleared before branch nodes (if/range/with/template) since they
cannot continue a partial attribute name
- Excluded from context.eq() to avoid false ErrBranchEnd errors
This is a partial fix for golang#19669, covering the attribute name case.
The tag name case (<s{{.X}}> producing <script>) is acknowledged
but not addressed here due to the difficulty of distinguishing
complete tag names at text boundaries.
Fixes golang#19669
Change-Id: I0000000000000000000000000000000000000000
Contributor
|
This PR (HEAD: cff81f9) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/go/+/762603. Important tips:
|
Contributor
|
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/762603. |
Contributor
|
Message from Mohammad Seet: Patch Set 2: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/762603. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix a security vulnerability in html/template where splitting an
HTML attribute name across static template text and a dynamic
template action bypasses context-sensitive escaping.
When a template like <a hre{{.S}}="{{.U}}"> is executed with
S="f" and U="javascript:alert(1)", the output is
-- the javascript: URI passes
through unfiltered because the escaper only sees the static
prefix "hre" (which maps to contentTypePlain) and never applies
URL filtering.
Affected attributes: href, src, action, formaction, style,
and all event handlers (on*).
Affected versions: All Go versions through 1.24.4 and the
development branch.
Fix: Track when an attribute name in static text runs to the
end of a text node boundary (the partialName flag on context).
If a template action is encountered while partialName is true,
return an ErrBadHTML error at parse time instead of applying
the insufficient htmlNameFilter.
The fix preserves all valid patterns:
This is a partial fix for #19669 covering the attribute name
case.
PoC:
t := template.Must(template.New("x").Parse(
<a hre{{.S}}="{{.U}}">))var b strings.Builder
t.Execute(&b, struct{S,U string}{
"f", "javascript:alert(1)"})
// Before fix: (XSS!)
// After fix: error at parse time
Test plan:
Fixes #19669