Improper sanitization of CSS values in html/template

GO-2023-1751 · BIT-golang-2023-24539 · CVE-2023-24539

Published May 5, 2023 · Modified Feb 4, 2026

Description

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

References

REPORT https://go.dev/issue/59720
FIX https://go.dev/cl/491615
WEB https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes