Description
This was reported by a finder via [email protected]
text/template.JSEscape escapes 5 characters in the "safe" printable ascii, plus all characters considered risky.
Current code to check if a rune needs escaping:
func jsIsSpecial(r rune) bool {
switch r {
case '\\', '\'', '"', '<', '>':
return true
}
return r < ' ' || utf8.RuneSelf <= r
}This leaves out = and &, which are also commonly escaped in this context.
This is not a vulnerability as & and = can only create problems when they appear in HTML context.
That said I would assume that it is not uncommon to have inline event handlers like these:
<button onclick=%s> click me! </button>in which people forget to also apply HTML escaping after JS escaping when doing "manual" escaping instead of using html/template.
We should probably approach this in a more conservative way and err on the side of escaping a little bit more than less, hence adding two more characters to the escape set.
Note that this change might break some tests if they rely on stored responses.