Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
References:GSA_kwCzR0hTQS0yd3JoLTZwdmMtMmptOc4AA1Aw
Improper rendering of text nodes in golang.org/x/net/html
Affected Packages | Affected Versions | Fixed Versions | |
---|---|---|---|
go:golang.org/x/net | < 0.13.0 | 0.13.0 | |
Affected Version RangesAll affected versions0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0 All unaffected versions0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0 |