The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing, which could result in content following the tag being placed in the wrong scope during DOM construction.
For example a tag of the form <p a=/> is interpreted by the tokenizer as self closing, resulting in incorrectly emitting <p a="/"/>. This is due to how we check is a tag is self-closing.
This is a PRIVATE issue for CVE-2025-22872, tracked in http://b/404570217.
/cc @golang/security and @golang/release
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing, which could result in content following the tag being placed in the wrong scope during DOM construction.
For example a tag of the form
<p a=/>is interpreted by the tokenizer as self closing, resulting in incorrectly emitting<p a="/"/>. This is due to how we check is a tag is self-closing.This is a PRIVATE issue for CVE-2025-22872, tracked in http://b/404570217.
/cc @golang/security and @golang/release