URLs in meta content attribute actions are not escaped in html/template

GO-2026-4603 · BIT-golang-2026-27142 · CVE-2026-27142

Published Mar 6, 2026 · Modified May 15, 2026

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

References

WEB https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
REPORT https://go.dev/issue/77954
FIX https://go.dev/cl/752081

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes