From 68b7c3ea0659978cf70ed592a73b2b5c2e0632e1 Mon Sep 17 00:00:00 2001 From: bwzhang Date: Sun, 28 Apr 2024 10:46:26 +0800 Subject: [PATCH] fix CVE-2023-3978 html: only render content literally in the HTML namespace Per the WHATWG HTML specification, section 13.3, only append the literal content of a text node if we are in the HTML namespace. Thanks to Mohammad Thoriq Aziz for reporting this issue. Fixes golang/go#61615 Fixes CVE-2023-3978 Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896 Reviewed-by: Tatiana Bradley Run-TryBot: Roland Shoemaker Reviewed-by: Damien Neil TryBot-Result: Security TryBots Reviewed-on: https://go-review.googlesource.com/c/net/+/514896 Reviewed-by: Roland Shoemaker TryBot-Result: Gopher Robot Run-TryBot: Damien Neil --- .../vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go index d34564f..5914410 100644 --- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go +++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go @@ -191,9 +191,8 @@ func render1(w writer, n *Node) error { } } - // Render any child nodes. - switch n.Data { - case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp": + // Render any child nodes + if childTextNodesAreLiteral(n) { for c := n.FirstChild; c != nil; c = c.NextSibling { if c.Type == TextNode { if _, err := w.WriteString(c.Data); err != nil { @@ -210,7 +209,7 @@ func render1(w writer, n *Node) error { // last element in the file, with no closing tag. return plaintextAbort } - default: + } else { for c := n.FirstChild; c != nil; c = c.NextSibling { if err := render1(w, c); err != nil { return err @@ -228,6 +227,27 @@ func render1(w writer, n *Node) error { return w.WriteByte('>') } +func childTextNodesAreLiteral(n *Node) bool { + // Per WHATWG HTML 13.3, if the parent of the current node is a style, + // script, xmp, iframe, noembed, noframes, or plaintext element, and the + // current node is a text node, append the value of the node's data + // literally. The specification is not explicit about it, but we only + // enforce this if we are in the HTML namespace (i.e. when the namespace is + // ""). + // NOTE: we also always include noscript elements, although the + // specification states that they should only be rendered as such if + // scripting is enabled for the node (which is not something we track). + if n.Namespace != "" { + return false + } + switch n.Data { + case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp": + return true + default: + return false + } +} + // writeQuoted writes s to w surrounded by quotes. Normally it will use double // quotes, but if s contains a double quote, it will use single quotes. // It is used for writing the identifiers in a doctype declaration. -- 2.20.1