Go html/template Escaper Bypass Vulnerability Leading to Cross-Site Scripting

A vulnerability exists in the Go programming language's html/template package, specifically in versions prior to 1.25.10 and from 1.26.0 up to but not including 1.26.3. This vulnerability allows for cross-site scripting (XSS) attacks by bypassing the template escaper. If a trusted template author includes a <script> tag with an empty 'type' attribute or one containing ASCII whitespace, any data passed into the <script> block will be improperly escaped. This issue was reported by a user named Mundur.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a template using the html/template package in Go. Include a <script> tag with an empty 'type' attribute or a 'type' attribute that contains ASCII whitespace. When the template is executed with data passed into the <script> block, the data will be incorrectly escaped, allowing for potential XSS exploitation.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.