Skip to content

x/net/html: fix CVE-2025-22872 #73070

Closed
minio/minio-go
#2085
@rolandshoemaker

Description

@rolandshoemaker

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing, which could result in content following the tag being placed in the wrong scope during DOM construction.

For example a tag of the form <p a=/> is interpreted by the tokenizer as self closing, resulting in incorrectly emitting <p a="/"/>. This is due to how we check is a tag is self-closing.


This is a PRIVATE issue for CVE-2025-22872, tracked in http://b/404570217.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions