html/template: disallow angle brackets in CSS values

Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #59720 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
golang · May 2, 2023 · 8673ca8 · 8673ca8
1 parent 72ba919
commit 8673ca8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/src/html/template/css.go b/src/html/template/css.go
@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
 	// inside a string that might embed JavaScript source.
 	for i, c := range b {
 		switch c {
-		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
+		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
 			return filterFailsafe
 		case '-':
 			// Disallow <!-- or -->.

diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
 		{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
 		{`-expre\0000073sion`, "-expre\x073sion"},
 		{`@import url evil.css`, "ZgotmplZ"},
+		{"<", "ZgotmplZ"},
+		{">", "ZgotmplZ"},
 	}
 	for _, test := range tests {
 		got := cssValueFilter(test.css)