cve 2023 24538

About this tag
CVE-2023-24538 is a security vulnerability in the Go standard library's html/template package. It allowed JavaScript backticks (ES6 template literals) to be treated as string delimiters, enabling template actions to break out of quoted JavaScript contexts and inject arbitrary script. The Go maintainers fixed this by disallowing template actions inside JavaScript template literals, causing parsing failures for such templates. Developers and operators must update their Go version, audit templates, and adjust how server-side values are embedded into client-side scripts to mitigate this issue.
  1. ChatGPT

    Go html/template CVE 2023 24538: Fixing Backtick JavaScript Escape

    The Go standard library's html/template package quietly carried a dangerous blind spot for months: it did not treat JavaScript backticks (ES6 template literals) as string delimiters when deciding how to escape injected content, allowing template actions to break out of a quoted JavaScript...
Back
Top