Neal Patel (Gerrit)

unread,

Apr 27, 2026, 5:37:22 PM (2 days ago) Apr 27

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Neal Patel has uploaded the change for review

Commit message

html/template: fix escaper bypass by treating empty script type as JavaScript

Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue.

Fixes #78981
Fixes CVE-2026-39826

Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836

Change diff

diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
index a39d696..aef5e01 100644
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@@ -233,6 +233,21 @@
 			`<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`,
 		},
 		{
+			"scriptTypeSpace",
+			"<script type=\" \">{{.H}}</script>",
+			"<script type=\" \">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeTab",
+			"<script type=\"\t\">{{.H}}</script>",
+			"<script type=\"\t\">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeEmpty",
+			"<script type=\"\">{{.H}}</script>",
+			"<script type=\"\">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
 			"jsObjValueNotOverEscaped",
 			"<button onclick='alert({{.A | html}})'>",
 			`<button onclick='alert([&#34;\u003ca\u003e&#34;,&#34;\u003cb\u003e&#34;])'>`,
diff --git a/src/html/template/js.go b/src/html/template/js.go
index b3bf948..e2db30f 100644
--- a/src/html/template/js.go
+++ b/src/html/template/js.go
@@ -462,6 +462,7 @@
 	mimeType = strings.TrimSpace(mimeType)
 	switch mimeType {
 	case
+		"",
 		"application/ecmascript",
 		"application/javascript",
 		"application/json",

Change information

Files:

M src/html/template/escape_test.go
M src/html/template/js.go

Change size: S

Delta: 2 files changed, 16 insertions(+), 0 deletions(-)

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 27, 2026, 5:37:34 PM (2 days ago) Apr 27

to goph...@pubsubhelper.golang.org, Roland Shoemaker, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 12:47:55 PM (16 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Roland Shoemaker, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Apr 28, 2026, 4:09:06 PM (13 hours ago) Apr 28

to Neal Patel, goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com

Attention needed from Neal Patel

Roland Shoemaker voted Code-Review+2

Code-Review

+2

Open in Gerrit

Related details

Attention is currently required from:

Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 8:53:33 PM (8 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Roland Shoemaker, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com

Neal Patel submitted the change

Change information

Commit message:

html/template: fix escaper bypass by treating empty script type as JavaScript

Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue.

Fixes #78981
Fixes CVE-2026-39826

Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836

Reviewed-on: https://go-review.googlesource.com/c/go/+/771180

Reviewed-by: Roland Shoemaker <rol...@golang.org>

LUCI-TryBot-Result: golang...@luci-project-accounts.iam.gserviceaccount.com <golang...@luci-project-accounts.iam.gserviceaccount.com>

Files:

M src/html/template/escape_test.go
M src/html/template/js.go

Change size: S

Delta: 2 files changed, 16 insertions(+), 0 deletions(-)

Branch: refs/heads/master

Submit Requirements:

Code-Review: +2 by Roland Shoemaker
TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[go] html/template: fix escaper bypass by treating empty script type as JavaScript

Neal Patel (Gerrit)

Neal Patel has uploaded the change for review

Commit message

Change diff

Change information

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker voted Code-Review+2

Related details

Neal Patel (Gerrit)

Neal Patel submitted the change

Change information