[go] html/template: fix escaping of URLs in meta content attributes

0 views
Skip to first unread message

Neal Patel (Gerrit)

unread,
Apr 29, 2026, 12:04:42 PM (yesterday) Apr 29
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Roland Shoemaker, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com

Neal Patel submitted the change

Change information

Commit message:
html/template: fix escaping of URLs in meta content attributes

The WHATWG "shared declarative refresh steps" algorithm (§4.2.5.3)
skips ASCII whitespace between "url" and "=" when parsing the URL
portion of a meta content attribute.

Thank you to Samy Ghannad for reporting this issue.

Updates #78913
Fixes CVE-2026-39823
Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
Reviewed-by: Roland Shoemaker <rol...@golang.org>
TryBot-Bypass: Roland Shoemaker <rol...@golang.org>
Files:
  • M src/html/template/escape_test.go
  • M src/html/template/transition.go
Change size: S
Delta: 2 files changed, 27 insertions(+), 5 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
Gerrit-Change-Number: 769920
Gerrit-PatchSet: 10
Gerrit-Owner: Neal Patel <neal...@google.com>
Gerrit-Reviewer: Neal Patel <neal...@google.com>
Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
Gerrit-CC: Damien Neil <dn...@google.com>
open
diffy
satisfied_requirement

Michael Pratt (Gerrit)

unread,
Apr 29, 2026, 4:36:37 PM (20 hours ago) Apr 29
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, golang...@luci-project-accounts.iam.gserviceaccount.com, Roland Shoemaker, golang-co...@googlegroups.com

Michael Pratt submitted the change

Change information

Commit message:
[release-branch.go1.25] html/template: fix escaping of URLs in meta content attributes


The WHATWG "shared declarative refresh steps" algorithm (§4.2.5.3)
skips ASCII whitespace between "url" and "=" when parsing the URL
portion of a meta content attribute.

Thank you to Samy Ghannad for reporting this issue.

Updates #78913
Fixes #79031

Fixes CVE-2026-39823

Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
Reviewed-on: https://go-review.googlesource.com/c/go/+/769920
Reviewed-by: Roland Shoemaker <rol...@golang.org>
TryBot-Bypass: Roland Shoemaker <rol...@golang.org>
Files:
  • M src/html/template/escape_test.go
  • M src/html/template/transition.go
Change size: S
Delta: 2 files changed, 27 insertions(+), 5 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
    • requirement satisfiedCode-Review: +2 by Roland Shoemaker
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: merged
    Gerrit-Project: go
    Gerrit-Branch: release-branch.go1.25
    Gerrit-Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
    Gerrit-Change-Number: 772101
    Gerrit-PatchSet: 3
    Gerrit-Owner: Neal Patel <neal...@google.com>
    Gerrit-Reviewer: Michael Pratt <mpr...@google.com>
    open
    diffy
    satisfied_requirement

    Michael Pratt (Gerrit)

    unread,
    Apr 29, 2026, 4:36:41 PM (20 hours ago) Apr 29
    to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, golang...@luci-project-accounts.iam.gserviceaccount.com, Roland Shoemaker, golang-co...@googlegroups.com

    Michael Pratt submitted the change

    Change information

    Commit message:
    [release-branch.go1.26] html/template: fix escaping of URLs in meta content attributes


    The WHATWG "shared declarative refresh steps" algorithm (§4.2.5.3)
    skips ASCII whitespace between "url" and "=" when parsing the URL
    portion of a meta content attribute.

    Thank you to Samy Ghannad for reporting this issue.

    Updates #78913
    Fixes #79032

    Fixes CVE-2026-39823

    Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
    Reviewed-on: https://go-review.googlesource.com/c/go/+/769920
    Reviewed-by: Roland Shoemaker <rol...@golang.org>
    TryBot-Bypass: Roland Shoemaker <rol...@golang.org>
    (cherry picked from commit f2ec1254ff32fa39f3ce4faf72bbe44eeeeebad9)
    Files:
    • M src/html/template/escape_test.go
    • M src/html/template/transition.go
    Change size: S
    Delta: 2 files changed, 27 insertions(+), 5 deletions(-)
    Branch: refs/heads/release-branch.go1.26
    Submit Requirements:
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: merged
    Gerrit-Project: go
    Gerrit-Branch: release-branch.go1.26
    Gerrit-Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
    Gerrit-Change-Number: 772103
    Gerrit-PatchSet: 2
    open
    diffy
    satisfied_requirement
    Reply all
    Reply to author
    Forward
    0 new messages