encoding/xml: invalid characters in comments, processing instructions, or directives #68654
Comments
|
@gopherbot please open backport issues, this is a minor security issue. |
|
Backport issue(s) opened: #68656 (for 1.23), #68657 (for 1.22). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/601815 mentions this issue: |
|
Just checking in: this is marked as a release blocker, what is the status for this? Thanks. |
|
Closing issue as we're approaching this as a proposal instead of a direct change. See #69503 for more info/updates on the change. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The encoding/xml package does not properly validate that the characters within comments, processing instructions, or directives are properly within the CharData range as defined by the XML specification.
Thanks to Demi Marie Obenour of Invisible Things Lab for reporting this issue.
This is CVE-2024-34154
The text was updated successfully, but these errors were encountered: