html/template: improper sanitization of CSS values

[rolandshoemaker]

Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #59811 (for 1.19), #59812 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/491335 mentions this issue: [release-branch.go1.19] html/template: disallow angle brackets in CSS values

[gopherbot]

Change https://go.dev/cl/491336 mentions this issue: [release-branch.go1.20] html/template: disallow angle brackets in CSS values