CVE-2023-24539: Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts....

The vulnerability is related to improper sanitization of CSS values in the html/template package. The provided patch shows modifications to regular expressions (cssValueAllowList, urlStart, identStart) used for validating CSS. These changes indicate that the previous versions of these regexes were too permissive, allowing for potential injection attacks. Functions within html/template that utilize these regular expressions for CSS validation would be the vulnerable ones. While the exact function names are not in the diff, the modified regex variables are strong indicators of where the vulnerability lies. The commit 0155a195539901f5cc7009e87f8f6569e701f12a which contains these changes, has the title 'html/template: adjust CSS sanitation', further confirming the nature of the fix and the location of the vulnerability within CSS handling in the html/template package. The NVD page also points to src/html/template/css.go as the affected component.

The vulnerability description specifically mentions that 'Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context'. The changes in cssValueAllowList which now explicitly handles calc(...) and modifies how lists of values (potentially separated by /) are parsed, directly address this. The functions that would use cssValueAllowList (and the other regexes) for parsing and sanitizing CSS values are the ones that would appear in a runtime profile during exploitation. These are likely internal functions within the html/template package responsible for processing CSS content within templates. Since the regexes themselves are global variables, any function that uses them for validation was previously using a vulnerable pattern. The most directly impacted logic is the validation performed by cssValueAllowList.