Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
[
{
"vendor": "golang.org/x/net",
"product": "golang.org/x/net/html",
"collectionURL": "https://pkg.go.dev",
"packageName": "golang.org/x/net/html",
"versions": [
{
"version": "0",
"lessThan": "0.13.0",
"status": "affected",
"versionType": "semver"
}
],
"programRoutines": [
{
"name": "render1"
},
{
"name": "Render"
}
],
"defaultStatus": "unaffected"
}
]