html/template: escape JS in application/json script tag

Since ffd1c781b77aab542713b66ef387fa9307e4060b HTML templates check
MIME type in the "type" attribute of "script" tag to decide if contents
should be escaped as JavaScript. The whitelist of MIME types did not
include application/json. Include it in this CL.

Fixes #18159

Change-Id: I17a8a38f2b7789b4b7e941d14279de222eaf2b6a
Reviewed-on: https://go-review.googlesource.com/33899
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/html/template/js.go b/src/html/template/js.go
index 8f1185c81edaf7df00feaf6042dc28b8b1fe89c5..6434fa3be63217f90c4b0aae8dbc0ec6b523063b 100644 (file)
--- a/src/html/template/js.go
+++ b/src/html/template/js.go
@@ -368,9 +368,10 @@ func isJSIdentPart(r rune) bool {
 // It is used to determine whether a script tag with a type attribute is a javascript container.
 func isJSType(mimeType string) bool {
        // per
-       //   http://www.w3.org/TR/html5/scripting-1.html#attr-script-type
+       //   https://www.w3.org/TR/html5/scripting-1.html#attr-script-type
        //   https://tools.ietf.org/html/rfc7231#section-3.1.1
-       //   http://tools.ietf.org/html/rfc4329#section-3
+       //   https://tools.ietf.org/html/rfc4329#section-3
+       //   https://www.ietf.org/rfc/rfc4627.txt
 
        // discard parameters
        if i := strings.Index(mimeType, ";"); i >= 0 {
@@ -381,6 +382,7 @@ func isJSType(mimeType string) bool {
        case
                "application/ecmascript",
                "application/javascript",
+               "application/json",
                "application/x-ecmascript",
                "application/x-javascript",
                "text/ecmascript",