From 197ff37d8c9aed02c63a52a995f0cc361e01a10a Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Sun, 14 Jul 2024 15:28:43 -0400
Subject: [PATCH] encoding/xml: Require whitespace between attributes

This is needed to reject the ill-formed document <a b='c'c='d/>.

Fixes: #68385
---
 src/encoding/xml/xml.go      | 26 ++++++++++++++++++++------
 src/encoding/xml/xml_test.go |  8 +++++---
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
index 0fe323f7c86..da8aebafa79 100644
--- a/src/encoding/xml/xml.go
+++ b/src/encoding/xml/xml.go
@@ -794,13 +794,30 @@ func (d *Decoder) rawToken() (Token, error) {
 	}
 
 	attr = []Attr{}
-	for {
-		d.space()
+	Outer: for {
 		if b, ok = d.mustgetc(); !ok {
 			return nil, d.err
 		}
-		if b == '/' {
+		switch b {
+		case ' ', '\t', '\r', '\n':
+			// Skip subsequent spaces
+			d.space()
+			if b, ok = d.mustgetc(); !ok {
+				return nil, d.err
+			}
+			if b == '>' {
+				break Outer
+			}
+			empty = b == '/'
+		case '>':
+			break Outer
+		case '/':
 			empty = true
+		default:
+			d.err = d.syntaxError("expected whitespace, />, or > following element name or attribute value")
+			return nil, d.err
+		}
+		if empty {
 			if b, ok = d.mustgetc(); !ok {
 				return nil, d.err
 			}
@@ -810,9 +827,6 @@ func (d *Decoder) rawToken() (Token, error) {
 			}
 			break
 		}
-		if b == '>' {
-			break
-		}
 		d.ungetc(b)
 
 		a := Attr{}
diff --git a/src/encoding/xml/xml_test.go b/src/encoding/xml/xml_test.go
index b2a06a76397..840d751d667 100644
--- a/src/encoding/xml/xml_test.go
+++ b/src/encoding/xml/xml_test.go
@@ -265,6 +265,8 @@ var xmlInput = []string{
 	"<t a>",
 	"<t a=>",
 	"<t a=v>",
+	// Issue 68385
+	"<a b='c'c='d'/>",
 	//	"<![CDATA[d]]>",	// let the Token() caller handle
 	"<t></e>",
 	"<t></>",
@@ -1122,15 +1124,15 @@ func TestIssue7113(t *testing.T) {
 }
 
 func TestIssue20396(t *testing.T) {
-
-	var attrError = UnmarshalError("XML syntax error on line 1: expected attribute name in element")
+	var attrError = UnmarshalError("XML syntax error on line 1: expected whitespace, />, or > following element name or attribute value")
 
 	testCases := []struct {
 		s       string
 		wantErr error
 	}{
 		{`<a:te:st xmlns:a="abcd"/>`, // Issue 20396
-			UnmarshalError("XML syntax error on line 1: expected element name after <")},
+			UnmarshalError("XML syntax error on line 1: colon after prefixed XML name a:te")},
+		{`<a test='d'xmlns:a="abcd"/>`, attrError},
 		{`<a:te=st xmlns:a="abcd"/>`, attrError},
 		{`<a:te&st xmlns:a="abcd"/>`, attrError},
 		{`<a:test xmlns:a="abcd"/>`, nil},