Improper handling of empty HTML attributes in html/template

GO-2023-1753 · BIT-golang-2023-29400 · CVE-2023-29400

Published May 5, 2023 · Modified Feb 4, 2026

Description

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

References

REPORT https://go.dev/issue/59722
FIX https://go.dev/cl/491617
WEB https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes