You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
go template security
About this tag
The Go html/template package had a security vulnerability (CVE-2023-24538) where JavaScript backticks (template literals) were not treated as string delimiters, allowing template actions to break out of quoted contexts and inject arbitrary script. The fix disallows Go template actions inside JavaScript template literals, causing parsing failures. Users must update, audit, or change how they embed server-side values into client-side scripts. This tag covers discussions on Go template security, including vulnerabilities, fixes, and best practices for secure template usage.
The Go standard library's html/template package quietly carried a dangerous blind spot for months: it did not treat JavaScript backticks (ES6 template literals) as string delimiters when deciding how to escape injected content, allowing template actions to break out of a quoted JavaScript...