From: Roland Shoemaker <roland@golang.org>
Date: Wed, 8 May 2024 16:17:05 +0000 (-0700)
Subject: html: update jstmpllitinterp doc
X-Git-Tag: go1.23rc1~214
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=0ec709f180c8c2453694d79d1761e279ea77f675;p=gostls13.git

html: update jstmpllitinterp doc

We no longer do anything with this GODEBUG.

Fixes #66217

Change-Id: I998797b6a573013f5b9c8ded835acae572327d18
Reviewed-on: https://go-review.googlesource.com/c/go/+/584117
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
---

diff --git a/doc/godebug.md b/doc/godebug.md
index b5bee3a613..b3a00a0c2b 100644
--- a/doc/godebug.md
+++ b/doc/godebug.md
@@ -193,6 +193,10 @@ Go 1.23 changed the behavior of
 serial numbers that are longer than 20 octets. This change can be reverted with
 the the [`x509seriallength` setting](/pkg/crypto/x509/#ParseCertificate).
 
+Go 1.23 re-enabled support in html/template for ECMAScript 6 template literals by default.
+The [`jstmpllitinterp` setting](/pkg/html/template#hdr-Security_Model) no longer has
+any effect.
+
 ### Go 1.22
 
 Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size
diff --git a/src/html/template/doc.go b/src/html/template/doc.go
index 672d42ba32..b7be04cbd0 100644
--- a/src/html/template/doc.go
+++ b/src/html/template/doc.go
@@ -232,11 +232,9 @@ Least Surprise Property:
 knows that contextual autoescaping happens should be able to look at a {{.}}
 and correctly infer what sanitization happens."
 
-As a consequence of the Least Surprise Property, template actions within an
-ECMAScript 6 template literal are disabled by default.
-Handling string interpolation within these literals is rather complex resulting
-in no clear safe way to support it.
-To re-enable template actions within ECMAScript 6 template literals, use the
-GODEBUG=jstmpllitinterp=1 environment variable.
+Previously, ECMAScript 6 template literal were disabled by default, and could be
+enabled with the GODEBUG=jstmpllitinterp=1 environment variable. Template
+literals are now supported by default, and setting jstmpllitinterp has no
+effect.
 */
 package template