GHSA-3v85-fqvh-7rxf MEDIUM go/github.com/lin-snow/Ech0

CVE:

Summary

The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.Appendf(renderedContent, "<br /><span class=\"tag\">#%s</span>", tag.Name) at internal/service/common/common.go:120, and the Markdown renderer at internal/util/md/md.go does not set the html.SkipHTML flag, so raw HTML blocks in echo content pass through unmodified. The resulting Atom <summary type="html"> is valid XML but contains executable <script> tags after the RSS reader decodes it. RSS subscribers whose readers render HTML (including many self-hosted and desktop clients) execute attacker JavaScript in the reader's origin.

Details

Tag sink at internal/service/common/common.go:120:

if len(msg.Tags) > 0 {
    for _, tag := range msg.Tags {
        renderedContent = fmt.Appendf(renderedContent,
            "<br /><span class=\"tag\">#%s</span>", tag.Name)
    }
}

fmt.Appendf with %s does not HTML-escape. Tag names come from user-supplied EchoUpsertDto.Tags and are persisted after strings.TrimSpace(strings.TrimPrefix(tag.Name, "#")) at internal/service/echo/echo.go:326, which strips a leading # and trims whitespace but does nothing about HTML metacharacters. A tag name of </span><script>document.title='RSS-XSS-HIT'</script><span>x breaks out of the surrounding <span> element and injects executable JavaScript into the RSS summary field.

Markdown sink at internal/util/md/md.go:

htmlFlags := html.CommonFlags | html.Safelink | html.HrefTargetBlank |
             html.NoopenerLinks | html.NoreferrerLinks
// html.SkipHTML is NOT set

The gomarkdown library passes raw HTML through when SkipHTML is not set. MdToHTML([]byte(msg.Content)) at internal/service/common/common.go:102 produces the rendered HTML for the echo body; tag markup is appended to that output at line 120 and the combined byte slice becomes the RSS summary field.

The RSS feed declares `<summary type

📌 来源: GitHub-Advisory | 📅 2026-05-07