Skip to content

Commit

Permalink
html: ignore templates nested within foreign content
Browse files Browse the repository at this point in the history
Fixes #46288
Fixes CVE-2021-33194

Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Trust: Roland Shoemaker <[email protected]>
TryBot-Result: Go Bot <[email protected]>
  • Loading branch information
nigeltao authored and FiloSottile committed May 20, 2021
1 parent 4163338 commit 37e1c6a
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 1 deletion.
24 changes: 23 additions & 1 deletion html/parse.go
Original file line number Diff line number Diff line change
Expand Up @@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool {
// Ignore the token.
return true
case a.Template:
// TODO: remove this divergence from the HTML5 spec.
//
// We don't handle all of the corner cases when mixing foreign
// content (i.e. <math> or <svg>) with <template>. Without this
// early return, we can get into an infinite loop, possibly because
// of the "TODO... further divergence" a little below.
//
// As a workaround, if we are mixing foreign content and templates,
// just ignore the rest of the HTML. Foreign content is rare and a
// relatively old HTML feature. Templates are also rare and a
// relatively new HTML feature. Their combination is very rare.
for _, e := range p.oe {
if e.Namespace != "" {
p.im = ignoreTheRemainingTokens
return true
}
}

p.addElement()
p.afe = append(p.afe, &scopeMarker)
p.framesetOK = false
Expand All @@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool {
if !p.oe.contains(a.Template) {
return true
}
// TODO: remove this divergence from the HTML5 spec.
// TODO: remove this further divergence from the HTML5 spec.
//
// See https://bugs.chromium.org/p/chromium/issues/detail?id=829668
p.generateImpliedEndTags()
Expand Down Expand Up @@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool {
return true
}

func ignoreTheRemainingTokens(p *parser) bool {
return true
}

const whitespaceOrNUL = whitespace + "\x00"

// Section 12.2.6.5
Expand Down
22 changes: 22 additions & 0 deletions html/parse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,9 @@ func TestParser(t *testing.T) {
if err != nil {
t.Fatal(err)
}
if parseTestBlacklist[ta.text] {
continue
}

err = testParseCase(ta.text, ta.want, ta.context, ParseOptionEnableScripting(ta.scripting))

Expand Down Expand Up @@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts ...ParseOption) (err error)
return nil
}

// Some test inputs are simply skipped - we would otherwise fail the test. We
// blacklist such inputs from the parse test.
var parseTestBlacklist = map[string]bool{
// See the a.Template TODO in inHeadIM.
`<math><template><mo><template>`: true,
`<template><svg><foo><template><foreignObject><div></template><div>`: true,
}

// Some test input result in parse trees are not 'well-formed' despite
// following the HTML5 recovery algorithms. Rendering and re-parsing such a
// tree will not result in an exact clone of that tree. We blacklist such
Expand Down Expand Up @@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) {
ParseFragment(strings.NewReader("<p>hello</p>"), nil)
}

func TestParseFragmentForeignContentTemplates(t *testing.T) {
srcs := []string{
"<math><html><template><mn><template></template></template>",
"<math><math><head><mi><template>",
}
for _, src := range srcs {
// The next line shouldn't infinite-loop.
ParseFragment(strings.NewReader(src), nil)
}
}

func BenchmarkParser(b *testing.B) {
buf, err := ioutil.ReadFile("testdata/go1.html")
if err != nil {
Expand Down

0 comments on commit 37e1c6a

Please sign in to comment.