encoding/xml: does not reject forbidden processing instruction names #68499
Description
Go version
1.22
Output of go env in your module/workspace:
GO111MODULE='' GOARCH='amd64' GOBIN='' GOCACHE='/home/user/.cache/go-build' GOENV='/home/user/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='/home/user/go/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/home/user/go' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/home/user/go/go' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/home/user/go/go/pkg/tool/linux_amd64' GOVCS='' GOVERSION='devel go1.23-071b8d51c1a70fa6b12f0bed2e93370e193333fd Fri Jul 12 22:42:17 2024 +0000' GODEBUG='' GOTELEMETRY='local' GOTELEMETRYDIR='/home/user/.config/go/telemetry' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='/dev/null' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2107157220=/tmp/go-build -gno-record-gcc-switches'What did you do?
https://go.dev/play/p/ldTeErDvu3t
package main import "encoding/xml" func main() { err := xml.Unmarshal([]byte(`<?a /b?><a/>`), new(interface{})) if err != nil { panic("well-formed XML rejected") } err = xml.Unmarshal([]byte(`<?xmla b?><a/>`), new(interface{})) if err == nil { panic("forbidden processing instruction name accepted") } } What did you see happen?
Ill-formed XMl with forbidden processing instruction name accepted.
What did you expect to see?
Ill-formed XMl with forbidden processing instruction name rejected.