html/template: check "type" attribute in <script>

Currently any script tag is treated as a javascript container, although
<script type="text/template"> must not be. Check "type" attribute of
"script" tag. If it is present and it is not a JS MIME type, do not
transition to elementScript state.

Fixes #12149, where // inside text template was treated as regexp.
Fixes #6701

Change-Id: I8fc9e504f7280bdd800f40383c061853665ac8a2
Reviewed-on: https://go-review.googlesource.com/14336
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

1 files changed, 9 insertions, 5 deletions

diff --git a/src/html/template/context.go b/src/html/template/context.go
index c90fc1fda5..37a3faf88b 100644
--- a/src/html/template/context.go
+++ b/src/html/template/context.go
@@ -285,7 +285,8 @@ type element uint8
 const (
 	// elementNone occurs outside a special tag or special element body.
 	elementNone element = iota
-	// elementScript corresponds to the raw text <script> element.
+	// elementScript corresponds to the raw text <script> element
+	// with JS MIME type or no type attribute.
 	elementScript
 	// elementStyle corresponds to the raw text <style> element.
 	elementStyle
@@ -319,6 +320,8 @@ const (
 	attrNone attr = iota
 	// attrScript corresponds to an event handler attribute.
 	attrScript
+	// attrScriptType corresponds to the type attribute in script HTML element
+	attrScriptType
 	// attrStyle corresponds to the style attribute whose value is CSS.
 	attrStyle
 	// attrURL corresponds to an attribute whose value is a URL.
@@ -326,10 +329,11 @@ const (
 )
 
 var attrNames = [...]string{
-	attrNone:   "attrNone",
-	attrScript: "attrScript",
-	attrStyle:  "attrStyle",
-	attrURL:    "attrURL",
+	attrNone:       "attrNone",
+	attrScript:     "attrScript",
+	attrScriptType: "attrScriptType",
+	attrStyle:      "attrStyle",
+	attrURL:        "attrURL",
 }
 
 func (a attr) String() string {