On 2025-05-17 12:57:23 +0300, Niko Tyni wrote:
> The attached change does not make HTML::Gumbo support <template>
> properly but seems to plug this specific hole, and hence the
> known security aspects.
>
> I've checked that this doesn't break the (not very extensive) test
> suite, and that the only reverse dependency in trixie, request-tracker5,
> still builds with this.
>
> Tentatively tagging 'patch', but eyeballs would be good.
>
> I think full support for <template> should be a separate wishlist bug.
I'll look into it, but anyway, it should currently be regarded just
like another HTML element (i.e. generate a "start"), otherwise this
would be an API breakage that could affect existing scripts. In the
HTML::Gumbo(3pm) man page:
HTML::Gumbo->new->parse( $html, format => 'callback', callback =>
sub {
my ($event) = shift;
if ( $event eq 'document start' ) {
my ($doctype) = @_;
}
elsif ( $event eq 'document end' ) {
}
elsif ( $event eq 'start' ) {
my ($tag, $attrs) = @_;
}
elsif ( $event eq 'end' ) {
my ($tag) = @_;
}
elsif ( $event eq /^(text|space|cdata|comment)$/ ) {
my ($text) = @_;
}
else {
die "Unknown event";
}
} );
with no mention of a specific event for the template element.
That was how I initially found the bug.
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
