html/template: example for disallowed script type change

Fixes #59112

Change-Id: I617f8a4581a55a0f134f488462f415ec22eb4ee3
Reviewed-on: https://go-review.googlesource.com/c/go/+/496145
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>

diff --git a/src/html/template/error.go b/src/html/template/error.go
index 805a788bfc3401b28236d7aaa4b9a7cc4b549d45..f85977841e6bfbd6988fb27bd71a2beb5e0d7834 100644 (file)
--- a/src/html/template/error.go
+++ b/src/html/template/error.go
@@ -79,15 +79,18 @@ const (
        ErrBadHTML
 
        // ErrBranchEnd: "{{if}} branches end in different contexts"
-       // Example:
+       // Examples:
        //   {{if .C}}<a href="{{end}}{{.X}}
+       //   <script {{with .T}}type="{{.}}"{{end}}>
        // Discussion:
        //   Package html/template statically examines each path through an
        //   {{if}}, {{range}}, or {{with}} to escape any following pipelines.
-       //   The example is ambiguous since {{.X}} might be an HTML text node,
+       //   The first example is ambiguous since {{.X}} might be an HTML text node,
        //   or a URL prefix in an HTML attribute. The context of {{.X}} is
        //   used to figure out how to escape it, but that context depends on
        //   the run-time value of {{.C}} which is not statically known.
+       //   The second example is ambiguous as the script type attribute
+       //   can change the type of escaping needed for the script contents.
        //
        //   The problem is usually something like missing quotes or angle
        //   brackets, or can be avoided by refactoring to put the two contexts