[go] html/template: fix escaping of URLs in meta content attributes
3 views
Skip to first unread message
Neal Patel (Gerrit)
Apr 22, 2026, 6:45:07 PM (6 days ago) Apr 22
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Neal Patel has uploaded the change for review![]( "Open in Gerrit")
Commit message
html/template: fix escaping of URLs in meta content attributes
The WHATWG "shared declarative refresh steps" algorithm (§4.2.5.3)
skips ASCII whitespace between "url" and "=" when parsing the URL
portion of a meta content attribute.
Fixes #78913
Fixes CVE-2026-39823
Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774
Change diff
diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
index a39d696..0c56d6c 100644
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@@ -745,6 +745,26 @@
`<meta http-equiv="refresh" content="{{"asd: 123"}}">`,
`<meta http-equiv="refresh" content="asd: 123">`,
},
+ {
+ "meta content url with whitespace before equals",
+ `<meta http-equiv="refresh" content="0;url ={{"javascript:alert(1)"}}">`,
+ `<meta http-equiv="refresh" content="0;url =#ZgotmplZ">`,
+ },
+ {
+ "meta content url with tab before equals",
+ "<meta http-equiv=\"refresh\" content=\"0;url\t={{\"javascript:alert(1)\"}}\">",
+ "<meta http-equiv=\"refresh\" content=\"0;url\t=#ZgotmplZ\">",
+ },
+ {
+ "meta content url with space after equals",
+ `<meta http-equiv="refresh" content="0;url= {{"javascript:alert(1)"}}">`,
+ `<meta http-equiv="refresh" content="0;url= #ZgotmplZ">`,
+ },
+ {
+ "meta content url with whitespace both sides of equals",
+ "<meta http-equiv=\"refresh\" content=\"0;url \t= {{\"javascript:alert(1)\"}}\">",
+ "<meta http-equiv=\"refresh\" content=\"0;url \t= #ZgotmplZ\">",
+ },
}
for _, test := range tests {
diff --git a/src/html/template/transition.go b/src/html/template/transition.go
index 7fbab1d..ea4b272 100644
--- a/src/html/template/transition.go
+++ b/src/html/template/transition.go
@@ -626,10 +626,12 @@
// tMetaContent is the context transition function for the meta content attribute state.
func tMetaContent(c context, s []byte) (context, int) {
- for i := 0; i < len(s); i++ {
- if i+3 <= len(s)-1 && bytes.Equal(bytes.ToLower(s[i:i+4]), []byte("url=")) {
- c.state = stateMetaContentURL
- return c, i + 4
+ for i := range len(s) {
+ if i+3 <= len(s)-1 && bytes.EqualFold(s[i:i+3], []byte("url")) {
+ if j := eatWhiteSpace(s, i+3); j < len(s) && s[j] == '=' {
+ c.state = stateMetaContentURL
+ return c, j + 1
+ }
}
}
return c, len(s)
@@ -637,7 +639,7 @@
// tMetaContentURL is the context transition function for the "url=" part of a meta content attribute state.
func tMetaContentURL(c context, s []byte) (context, int) {
- for i := 0; i < len(s); i++ {
+ for i := range len(s) {
if s[i] == ';' {
c.state = stateMetaContent
return c, i + 1
Change information
Files:
- M src/html/template/escape_test.go
- M src/html/template/transition.go
Change size: S
Delta: 2 files changed, 27 insertions(+), 5 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 22, 2026, 6:45:23 PM (6 days ago) Apr 22
to goph...@pubsubhelper.golang.org, Roland Shoemaker, Damien Neil, golang-co...@googlegroups.com
Attention needed from Roland Shoemaker
Neal Patel voted Commit-Queue+1![]( "Open in Gerrit")
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 22, 2026, 6:47:16 PM (6 days ago) Apr 22
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Neal Patel and Roland Shoemaker
Neal Patel uploaded new patchset![]( "Open in Gerrit")
Attention is currently required from:
- Neal Patel
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 22, 2026, 6:47:41 PM (6 days ago) Apr 22
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Neal Patel and Roland Shoemaker
Neal Patel uploaded new patchset![]( "Open in Gerrit")
Neal Patel uploaded patch set #3 to this change.
Related details
Attention is currently required from:
- Neal Patel
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 22, 2026, 6:47:48 PM (6 days ago) Apr 22
to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Roland Shoemaker, Damien Neil, golang-co...@googlegroups.com
Attention needed from Roland Shoemaker
Neal Patel voted Commit-Queue+1![]( "Open in Gerrit")
Attention is currently required from:
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 27, 2026, 5:38:18 PM (2 days ago) Apr 27
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Roland Shoemaker
Neal Patel uploaded new patchset![]( "Open in Gerrit")
Neal Patel uploaded patch set #4 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com
Related details
Attention is currently required from:
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
Apr 28, 2026, 4:08:14 PM (13 hours ago) Apr 28
to Neal Patel, goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com
Attention needed from Neal Patel
Roland Shoemaker voted Code-Review+2![]( "Open in Gerrit")
Attention is currently required from:
- Neal Patel
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 28, 2026, 8:54:42 PM (8 hours ago) Apr 28
to goph...@pubsubhelper.golang.org, Roland Shoemaker, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com
Neal Patel voted Commit-Queue+1![]( "Open in Gerrit")
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Neal Patel (Gerrit)
Apr 28, 2026, 8:55:14 PM (8 hours ago) Apr 28
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Neal Patel uploaded new patchset![]( "Open in Gerrit")
Neal Patel uploaded patch set #7 to this change.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages