The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).
Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.
Fixes CVE-2025-47911
Fixesgolang/go#75682
Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The current documentation as well as set of atoms and attributes has
gotten slightly out of sync with the current state of the WHATWG
html5 specification. The change adds and removes several of the atoms
and attributes, updates the documentation (such as steps numbering in
inBodyEndTagFormatting) and modifies the spec URLs to https://
Change-Id: I6dfa52785858c1521301b20b1e585e19a08b1e98
Reviewed-on: https://go-review.googlesource.com/6173
Reviewed-by: Nigel Tao <nigeltao@golang.org>
