Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "golang-1.20-src": "1.20.3-1ubuntu0.1~20.04", "golang-1.20": "1.20.3-1ubuntu0.1~20.04", "golang-1.20-doc": "1.20.3-1ubuntu0.1~20.04", "golang-1.20-go": "1.20.3-1ubuntu0.1~20.04", "golang-1.20-go-dbgsym": "1.20.3-1ubuntu0.1~20.04" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "golang-1.20-src": "1.20.3-1ubuntu0.1~22.04", "golang-1.20": "1.20.3-1ubuntu0.1~22.04", "golang-1.20-doc": "1.20.3-1ubuntu0.1~22.04", "golang-1.20-go": "1.20.3-1ubuntu0.1~22.04", "golang-1.20-go-dbgsym": "1.20.3-1ubuntu0.1~22.04" } ] }