On 2025-05-17 12:57:23 +0300, Niko Tyni wrote:
The attached change does not make HTML::Gumbo support <template>
properly but seems to plug this specific hole, and hence the
known security aspects.
I've checked that this doesn't break the (not very extensive) test
suite, and that the only reverse dependency in trixie, request-tracker5, still builds with this.
Tentatively tagging 'patch', but eyeballs would be good.
I think full support for <template> should be a separate wishlist bug.
I'll look into it, but anyway, it should currently be regarded just
like another HTML element (i.e. generate a "start"), otherwise this
would be an API breakage that could affect existing scripts. In the HTML::Gumbo(3pm) man page:
HTML::Gumbo->new->parse( $html, format => 'callback', callback => sub {
my ($event) = shift;
if ( $event eq 'document start' ) {
my ($doctype) = @_;
}
elsif ( $event eq 'document end' ) {
}
elsif ( $event eq 'start' ) {
my ($tag, $attrs) = @_;
}
elsif ( $event eq 'end' ) {
my ($tag) = @_;
}
elsif ( $event eq /^(text|space|cdata|comment)$/ ) {
my ($text) = @_;
}
else {
die "Unknown event";
}
} );
with no mention of a specific event for the template element.
That was how I initially found the bug.
--
Vincent Lefèvre <
vincent@vinc17.net> - Web: <
https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <
https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)