You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cve 2023 24538
About this tag
CVE-2023-24538 is a security vulnerability in the Go standard library's html/template package. It allowed JavaScript backticks (ES6 template literals) to be treated as string delimiters, enabling template actions to break out of quoted JavaScript contexts and inject arbitrary script. The Go maintainers fixed this by disallowing template actions inside JavaScript template literals, causing parsing failures for such templates. Developers and operators must update their Go version, audit templates, and adjust how server-side values are embedded into client-side scripts to mitigate this issue.
The Go standard library's html/template package quietly carried a dangerous blind spot for months: it did not treat JavaScript backticks (ES6 template literals) as string delimiters when deciding how to escape injected content, allowing template actions to break out of a quoted JavaScript...