]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: e844d72) | patch
html/template: support HTML-like comments in script contexts
authorRoland Shoemaker <bracewell@google.com>
Thu, 3 Aug 2023 19:24:13 +0000 (12:24 -0700)
committerCherry Mui <cherryyz@google.com>
Wed, 6 Sep 2023 18:11:19 +0000 (18:11 +0000)
commit67fb00396d1f0acf4b726990d5cd729ecace403c
tree87833c57a44a101899d6533269966a05c5076033tree
parente844d72421fb34b57eddf2653b33ed5ebf146b64commit | diff
html/template: support HTML-like comments in script contexts

Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
comments in script contexts. Also per section 12.5, support hashbang
comments. This brings our parsing in-line with how browsers treat these
comment types.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
reporting this issue.

Fixes #62196
Fixes CVE-2023-39318

Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/526156
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
src/html/template/context.go diff | blob | history
src/html/template/escape.go diff | blob | history
src/html/template/escape_test.go diff | blob | history
src/html/template/state_string.go diff | blob | history
src/html/template/transition.go diff | blob | history
Go GOST TLS 1.3