html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive equality, just use strings.EqualFold, even when the strings are only ASCII. This prevents us unnecessarily lowering extremely long strings, which can be a somewhat expensive operation, even if we're only attempting to compare equality with five characters. Thanks to Guido Vranken for reporting this issue. Fixes golang/go#70906 Fixes CVE-2024-45338 Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]>
golang · Dec 18, 2024 · 8e66b04 · 8e66b04
1 parent b935f7b
commit 8e66b04
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 5 deletions.
diff --git a/html/doctype.go b/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
 			}
 		}
 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
 			quirks = true
 		}
 	}

diff --git a/html/foreign.go b/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
 		if n.Data == "annotation-xml" {
 			for _, a := range n.Attr {
 				if a.Key == "encoding" {
-					val := strings.ToLower(a.Val)
-					if val == "text/html" || val == "application/xhtml+xml" {
+					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
 						return true
 					}
 				}

diff --git a/html/parse.go b/html/parse.go
@@ -1035,7 +1035,7 @@ func inBodyIM(p *parser) bool {
 			if p.tok.DataAtom == a.Input {
 				for _, t := range p.tok.Attr {
 					if t.Key == "type" {
-						if strings.ToLower(t.Val) == "hidden" {
+						if strings.EqualFold(t.Val, "hidden") {
 							// Skip setting framesetOK = false
 							return true
 						}
@@ -1463,7 +1463,7 @@ func inTableIM(p *parser) bool {
 			return inHeadIM(p)
 		case a.Input:
 			for _, t := range p.tok.Attr {
-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
 					p.addElement()
 					p.oe.pop()
 					return true