text/template: consider adding recursion depth limit for deeply nested expressions #71201
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Security
Go version
go version go1.23.4 darwin/arm64
Output of
go env
in your module/workspace:What did you do?
Note: This is a public issue after discussing with the Go security team.
Created a program to test template parsing with deeply nested parentheses: https://go.dev/play/p/659Ry2YDb4Z
What did you see happen?
What did you expect to see?
Two improvements would be helpful:
html/template
documentation explicitly states "The security model used by this package assumes that template authors are trusted" in its package documentation,text/template
lacks similar guidance. Adding this documentation would help users better understand the package's security model.Both changes would align with common parser implementation practices while maintaining clarity about the trust model.
The text was updated successfully, but these errors were encountered: