proposal: text/template: harden JSEscape

[empijei]

This was reported by a finder via [email protected]

text/template.JSEscape escapes 5 characters in the "safe" printable ascii, plus all characters considered risky.

Current code to check if a rune needs escaping:

func jsIsSpecial(r rune) bool {
	switch r {
	case '\\', '\'', '"', '<', '>':
		return true
	}
	return r < ' ' || utf8.RuneSelf <= r
}

This leaves out = and &, which are also commonly escaped in this context.

This is not a vulnerability as & and = can only create problems when they appear in HTML context.

That said I would assume that it is not uncommon to have inline event handlers like these:

<button onclick=%s> click me! </button>

in which people forget to also apply HTML escaping after JS escaping when doing "manual" escaping instead of using html/template.

We should probably approach this in a more conservative way and err on the side of escaping a little bit more than less, hence adding two more characters to the escape set.

Note that this change might break some tests if they rely on stored responses.

CL: https://go-review.googlesource.com/c/go/+/207637

cc @FiloSottile @rsc @mvdan @t1ddl3r

[gopherbot]

Change https://golang.org/cl/207637 mentions this issue: text/template: harden JSEscape to also escape ampersand and equal