GO-2023-1752

See a problem?

Source

https://pkg.go.dev/vuln/GO-2023-1752

Import Source

https://vuln.go.dev/ID/GO-2023-1752.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1752

Aliases

Published

2023-05-05T21:10:22Z

Modified

2024-05-20T16:03:47Z

Summary

Improper handling of JavaScript whitespace in html/template

Details

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

References

Credits

- Juho Nurminen of Mattermost

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.9

Introduced

1.20.0-0

Fixed

1.20.4

Ecosystem specific

{
    "imports": [
        {
            "path": "html/template",
            "symbols": [
                "Template.Execute",
                "Template.ExecuteTemplate",
                "nextJSCtx"
            ]
        }
    ]
}