Fix upstream Go templates bug with reversed key/value assignment #11114
Conversation
| @@ -17,6 +17,10 @@ import ( | |||
| template "github.com/gohugoio/hugo/tpl/internal/go_templates/texttemplate" | |||
| ) | |||
|
|
|||
| // See https://github.com/golang/go/issues/59234 | |||
| // Moved here to avoid dependency on Go's internal/debug package. | |||
| var debugAllowActionJSTmpl = false | |||
There was a problem hiding this comment.
@jmooring this has been in Go since 1.20.3, but will be introduced in Hugo with this PR. I fear it will ... break stuff. What do you think?
There was a problem hiding this comment.
Ideal: If the choice is between backwards compatibility and security, then security wins.
Practical: It depends on how many sites will break, and to some extent, which sites.
I will need to work with this PR to understand the effects before I can provide meaningful feedback and examples.
There was a problem hiding this comment.
I think it's worth it to have this default secure, but add an option for it in Hugo's security config. I don't think either of us can know how much this will break until it ... breaks.
There was a problem hiding this comment.
OK, the above seem to be restricted to just script inside back ticks, which should be pretty rare:
var a = `{{.Title }}`;There was a problem hiding this comment.
The only example usage of JS template literals that I can remember seeing is #10707.
bep
force-pushed
the
fix/gobug-11112
branch
3 times, most recently
from
0fb411f
to
eed4b41
Compare
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See golang/go#59234 Fixes gohugoio#11112
There was a problem hiding this comment.
LGTM. Tested cases from #11112, and
<script>console.log(`{{ .Title }}`)</script>
with security.gotemplates.allowActionJSTmpl undefined (default to false), explicitly true, and explicitly false.
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Fix upstream Go templates bug with reversed key/value assignment
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added.
This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).
This will throw an error saying "... appears in a JS template literal".
If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:
See golang/go#59234
Fixes #11112