A cross-site scripting (XSS) vulnerability in the Go `net/html` package allows attackers to bypass HTML sanitization by exploiting unexpected HTML tree construction when parsing arbitrary HTML that is subsequently rendered. The vulnerability stems from how the parser handles certain HTML structures, producing a DOM tree that differs from what sanitizers expect, enabling injection of executable content.
A cross-site scripting (XSS) vulnerability in Go's golang.org/x/net/html package allows attackers to bypass HTML sanitization by crafting input that produces an unexpected HTML tree when parsed and subsequently rendered. The flaw affects applications that parse arbitrary HTML and then render it using the Render function, where the parser's output tree structure differs from what sanitizers expect. The vul [truncated]
A denial-of-service vulnerability exists in the Go `golang.org/x/net` HTML parsing package. Parsing attacker-controlled HTML can trigger excessive CPU consumption, leading to application unavailability. The issue is rated CVSS 3.1 6.5 (Medium) with an attack vector of network, low attack complexity, no privileges required, and user interaction required. The vulnerability stems from uncontrolled resource c [truncated]