{"id":"GO-2023-1753","summary":"Improper handling of empty HTML attributes in html/template","details":"Templates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.","aliases":["BIT-golang-2023-29400","CVE-2023-29400"],"modified":"2026-03-17T04:43:02.114825Z","published":"2023-05-05T21:10:24Z","related":["CGA-7g62-qwvm-mvgp"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-1753"},"references":[{"type":"REPORT","url":"https://go.dev/issue/59722"},{"type":"FIX","url":"https://go.dev/cl/491617"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.19.9"},{"introduced":"1.20.0-0"},{"fixed":"1.20.4"}]}],"ecosystem_specific":{"imports":[{"path":"html/template","symbols":["Template.Execute","Template.ExecuteTemplate","appendCmd","htmlNospaceEscaper"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1753.json"}}],"schema_version":"1.7.5","credits":[{"name":"Juho Nurminen of Mattermost"}]}