this post was submitted on 24 Oct 2023
10 points (91.7% liked)

Golang

2217 readers
1 users here now

This is a community dedicated to the go programming language.

Useful Links:

Rules:

founded 1 year ago
MODERATORS
 

In this write-up, we’ll delve into how, through differential fuzzing, we uncovered a bug in Go’s exp/net HTML’s tokenizer. We’ll show potential XSS implications of this flaw. Additionally, we’ll outline how Google assessed this finding within their VRP program and guide how to engage and employ fuzzing to evaluate your software.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago

I think this is a good bug find, but I don't know why anyone would pass the original "safe" input through unchanged, instead of reserializing it.