The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2023-2043" }