CVE-2018-17848

Name of the Vulnerable Software and Affected Versions html package (aka x/net/html) versions through 2018-09-25

Description The issue arises from the html package mishandling certain HTML tags, such as <math><template><mn><b></template> and <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) during an html.Parse call. This error occurs in functions like (*insertionModeStack).pop in node.go and (*nodeStack).pop in node.go. The html.Parse function can panic on some invalid inputs.

Recommendations For versions through 2018-09-25, consider avoiding the use of the html.Parse function with potentially malformed HTML inputs until a fix is available. As a temporary workaround, validate and sanitize HTML inputs before passing them to the html.Parse function to minimize the risk of panic. At the moment, there is no information about a newer version that contains a fix for this vulnerability.