html: ignore templates nested within foreign content

Fixes #46288
Fixes CVE-2021-33194

Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>

html/parse.go

@@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool {
 			// Ignore the token.
 			return true
 		case a.Template:
+			// TODO: remove this divergence from the HTML5 spec.
+			//
+			// We don't handle all of the corner cases when mixing foreign
+			// content (i.e. <math> or <svg>) with <template>. Without this
+			// early return, we can get into an infinite loop, possibly because
+			// of the "TODO... further divergence" a little below.
+			//
+			// As a workaround, if we are mixing foreign content and templates,
+			// just ignore the rest of the HTML. Foreign content is rare and a
+			// relatively old HTML feature. Templates are also rare and a
+			// relatively new HTML feature. Their combination is very rare.
+			for _, e := range p.oe {
+				if e.Namespace != "" {
+					p.im = ignoreTheRemainingTokens
+					return true
+				}
+			}
+
 			p.addElement()
 			p.afe = append(p.afe, &scopeMarker)
 			p.framesetOK = false
@@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool {
 			if !p.oe.contains(a.Template) {
 				return true
 			}
-			// TODO: remove this divergence from the HTML5 spec.
+			// TODO: remove this further divergence from the HTML5 spec.
 			//
 			// See https://bugs.chromium.org/p/chromium/issues/detail?id=829668
 			p.generateImpliedEndTags()
@@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool {
 	return true
 }
 
+func ignoreTheRemainingTokens(p *parser) bool {
+	return true
+}
+
 const whitespaceOrNUL = whitespace + "\x00"
 
 // Section 12.2.6.5

html/parse_test.go

@@ -267,6 +267,9 @@ func TestParser(t *testing.T) {
 				if err != nil {
 					t.Fatal(err)
 				}
+				if parseTestBlacklist[ta.text] {
+					continue
+				}
 
 				err = testParseCase(ta.text, ta.want, ta.context, ParseOptionEnableScripting(ta.scripting))
 
@@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts ...ParseOption) (err error)
 	return nil
 }
 
+// Some test inputs are simply skipped - we would otherwise fail the test. We
+// blacklist such inputs from the parse test.
+var parseTestBlacklist = map[string]bool{
+	// See the a.Template TODO in inHeadIM.
+	`<math><template><mo><template>`:                                     true,
+	`<template><svg><foo><template><foreignObject><div></template><div>`: true,
+}
+
 // Some test input result in parse trees are not 'well-formed' despite
 // following the HTML5 recovery algorithms. Rendering and re-parsing such a
 // tree will not result in an exact clone of that tree. We blacklist such
@@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) {
 	ParseFragment(strings.NewReader("<p>hello</p>"), nil)
 }
 
+func TestParseFragmentForeignContentTemplates(t *testing.T) {
+	srcs := []string{
+		"<math><html><template><mn><template></template></template>",
+		"<math><math><head><mi><template>",
+	}
+	for _, src := range srcs {
+		// The next line shouldn't infinite-loop.
+		ParseFragment(strings.NewReader(src), nil)
+	}
+}
+
 func BenchmarkParser(b *testing.B) {
 	buf, err := ioutil.ReadFile("testdata/go1.html")
 	if err != nil {