text/template: harden JSEscape to also escape ampersand and equal
Ampersand and equal are not dangerous in a JS/JSString context but they might cause issues if interpolated in HTML attributes. This change makes it harder to introduce XSS by misusing escaping. Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common misuse scenario. Fixes #35665 Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0 Reviewed-on: https://go-review.googlesource.com/c/go/+/207637 Reviewed-by:Filippo Valsorda <filippo@golang.org> Reviewed-by:
Mike Samuel <mikesamuel@gmail.com> Reviewed-by:
Andrew Bonventre <andybons@golang.org> Reviewed-by:
Daniel Martí <mvdan@mvdan.cc>
Loading
Please sign in to comment