Go HTML Template Escaper Bypass Vulnerability in Meta Content URL Escaping

A vulnerability exists in the Go programming language's HTML template package, specifically in versions prior to 1.25.10 and between 1.26.0 and 1.26.3. This vulnerability allows for cross-site scripting (XSS) attacks due to improper URL escaping in meta tags. The issue arises when URLs in the 'content' attribute of a meta tag are surrounded by ASCII whitespaces, which disrupts the escaping process and creates a potential XSS vector.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a template that includes a meta tag with a URL in the content attribute. Insert ASCII whitespaces around the '=' character in the URL. When the template is executed, the URL will not be properly escaped, leading to XSS.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.