| commit | e1fcd82abba34df74614020343be8eb1fe85f0d9 | [log] [tgz] |
|---|---|---|
| author | Roland Shoemaker <roland@golang.org> | Mon Feb 24 11:18:31 2025 -0800 |
| committer | Gopher Robot <gobot@golang.org> | Thu Mar 27 12:51:24 2025 -0700 |
| tree | c17c71fdf97b3caff772177f91b3bcb3bebafd6f | |
| parent | ebed060e8f30f20235f74808c22125fd86b15edd [diff] |
html: properly handle trailing solidus in unquoted attribute value in foreign content The parser properly treats tags like <p a=/> as <p a="/">, but the tokenizer emits the SelfClosingTagToken token incorrectly. When the parser is used to parse foreign content, this results in an incorrect DOM. Thanks to Sean Ng (https://ensy.zip) for reporting this issue. Fixes golang/go#73070 Fixes CVE-2025-22872 Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org>
This repository holds supplementary Go networking packages.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.
The git repository is https://go.googlesource.com/net.
The main issue tracker for the net repository is located at https://go.dev/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.