Go 1.21 made it a run-time error to call `panic` with a nil interface value,
controlled by the [`panicnil` setting](/pkg/builtin/#panic).
-There is no plan to remove this setting.
+
+Go 1.21 made it an error for html/template actions to appear inside of an ECMAScript 6
+template literal, controlled by the
+[`jstmpllitinterp` setting](/pkg/html/template#hdr-Security_Model).
+This behavior was backported to Go 1.19.8+ and Go 1.20.3+.
+
+Go 1.21 introduced a limit on the maximum number of MIME headers and multipart
+forms, controlled by the
+[`multipartmaxheaders` and `multipartmaxparts` settings](/pkg/mime/multipart#hdr-Limits)
+respectively.
+This behavior was backported to Go 1.19.8+ and Go 1.20.3+.
+
+There is no plan to remove any of these settings.
### Go 1.20
"A developer (or code reviewer) familiar with HTML, CSS, and JavaScript, who
knows that contextual autoescaping happens should be able to look at a {{.}}
and correctly infer what sanitization happens."
+
+As a consequence of the Least Surprise Property, template actions within an
+ECMAScript 6 template literal are disabled by default.
+Handling string interpolation within these literals is rather complex resulting
+in no clear safe way to support it.
+To re-enable template actions within ECMAScript 6 template literals, use the
+GODEBUG=jstmpllitinterp=1 environment variable.
*/
package template
The implementation is sufficient for HTTP (RFC 2388) and the multipart
bodies generated by popular browsers.
+
+# Limits
+
+To protect against malicious inputs, this package sets limits on the size
+of the MIME data it processes.
+
+Reader.NextPart and Reader.NextRawPart limit the number of headers in a
+part to 10000 and Reader.ReadForm limits the total number of headers in all
+FileHeaders to 10000.
+These limits may be adjusted with the GODEBUG=multipartmaxheaders=<values>
+setting.
+
+Reader.ReadForm further limits the number of parts in a form to 1000.
+This limit may be adjusted with the GODEBUG=multipartmaxparts=<value>
+setting.
*/
package multipart