79 строки
2.9 KiB
Diff
79 строки
2.9 KiB
Diff
From 8ffa475fbdb33da97e8bf79cc5791ee8751fca5e Mon Sep 17 00:00:00 2001
|
|
From: Roland Shoemaker <bracewell@google.com>
|
|
Date: Thu, 06 Jul 2023 10:25:47 -0700
|
|
Subject: [PATCH] html: only render content literally in the HTML namespace
|
|
|
|
Per the WHATWG HTML specification, section 13.3, only append the literal
|
|
content of a text node if we are in the HTML namespace.
|
|
|
|
Thanks to Mohammad Thoriq Aziz for reporting this issue.
|
|
|
|
Fixes golang/go#61615
|
|
Fixes CVE-2023-3978
|
|
|
|
Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
|
|
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
|
Run-TryBot: Roland Shoemaker <bracewell@google.com>
|
|
Reviewed-by: Damien Neil <dneil@google.com>
|
|
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
|
Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
|
|
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Run-TryBot: Damien Neil <dneil@google.com>
|
|
---
|
|
|
|
diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
|
|
index 8b28031..e8c1233 100644
|
|
--- a/vendor/golang.org/x/net/html/render.go
|
|
+++ b/vendor/golang.org/x/net/html/render.go
|
|
@@ -194,9 +194,8 @@
|
|
}
|
|
}
|
|
|
|
- // Render any child nodes.
|
|
- switch n.Data {
|
|
- case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
|
|
+ // Render any child nodes
|
|
+ if childTextNodesAreLiteral(n) {
|
|
for c := n.FirstChild; c != nil; c = c.NextSibling {
|
|
if c.Type == TextNode {
|
|
if _, err := w.WriteString(c.Data); err != nil {
|
|
@@ -213,7 +212,7 @@
|
|
// last element in the file, with no closing tag.
|
|
return plaintextAbort
|
|
}
|
|
- default:
|
|
+ } else {
|
|
for c := n.FirstChild; c != nil; c = c.NextSibling {
|
|
if err := render1(w, c); err != nil {
|
|
return err
|
|
@@ -231,6 +230,27 @@
|
|
return w.WriteByte('>')
|
|
}
|
|
|
|
+func childTextNodesAreLiteral(n *Node) bool {
|
|
+ // Per WHATWG HTML 13.3, if the parent of the current node is a style,
|
|
+ // script, xmp, iframe, noembed, noframes, or plaintext element, and the
|
|
+ // current node is a text node, append the value of the node's data
|
|
+ // literally. The specification is not explicit about it, but we only
|
|
+ // enforce this if we are in the HTML namespace (i.e. when the namespace is
|
|
+ // "").
|
|
+ // NOTE: we also always include noscript elements, although the
|
|
+ // specification states that they should only be rendered as such if
|
|
+ // scripting is enabled for the node (which is not something we track).
|
|
+ if n.Namespace != "" {
|
|
+ return false
|
|
+ }
|
|
+ switch n.Data {
|
|
+ case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
|
|
+ return true
|
|
+ default:
|
|
+ return false
|
|
+ }
|
|
+}
|
|
+
|
|
// writeQuoted writes s to w surrounded by quotes. Normally it will use double
|
|
// quotes, but if s contains a double quote, it will use single quotes.
|
|
// It is used for writing the identifiers in a doctype declaration.
|