Go 1.20.4 and 1.19.9 Release: Security Fixes in html/template
The Go 1.20.4 and 1.19.9 releases address three critical security vulnerabilities in the html/template package, including improper handling of CSS values, JavaScript whitespace, and HTML empty attributes, which could lead to unintended HTML injection and attribute manipulation.
Go 1.20.4 and 1.19.9 have been released, and this update primarily fixes security‑related issues.
Go 1.20.4 fixes the following three security problems:
html/template: Improper handling of CSS values (CVE‑2023‑24539). When inserted into a CSS context, angle brackets (< >) are not treated as dangerous characters; templates containing multiple '/'‑separated operations may unintentionally close the CSS context and allow HTML injection from untrusted input.
html/template: Improper handling of JavaScript whitespace (CVE‑2023‑24540). Not all valid JavaScript whitespace characters are recognized as whitespace; templates that include characters outside the set "\t\n\f\r\u0020\u2028\u2029" may fail to sanitize correctly at runtime.
html/template: Improper handling of HTML empty attributes (CVE‑2023‑29400). Templates that embed actions in unquoted HTML attributes (e.g., attr={{.}} ) can produce unexpected results when the input is empty, potentially allowing arbitrary attribute injection during HTML normalization.
These fixes mitigate the risk of unintended HTML or attribute injection caused by malformed template processing.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.