GO-2023-1752

Source

https://pkg.go.dev/vuln/GO-2023-1752

Import Source

https://vuln.go.dev/ID/GO-2023-1752.json

Aliases

BIT-golang-2023-24540
CVE-2023-24540

Published

2023-05-05T21:10:22Z

Modified

2023-12-06T01:02:52.419007Z

Details

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

References

https://go.dev/issue/59721
https://go.dev/cl/491616
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

Affected packages

Go / stdlib

Package

Name: stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.19.9

Introduced

1.20.0-0

Fixed

1.20.4

Ecosystem specific

{
    "imports": [
        {
            "path": "html/template",
            "symbols": [
                "Template.Execute",
                "Template.ExecuteTemplate",
                "nextJSCtx"
            ]
        }
    ]
}