text/template: harden JSEscape to also escape ampersand and equal

Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.

This change makes it harder to introduce XSS by misusing
escaping.

Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.

Fixes #35665

Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>

1 files changed, 2 insertions, 0 deletions

diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
index 2b299b0bf6..aa5cd4c552 100644
--- a/src/text/template/exec_test.go
+++ b/src/text/template/exec_test.go
@@ -909,6 +909,8 @@ func TestJSEscaping(t *testing.T) {
 		{`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`},
 		{"unprintable \uFDFF", `unprintable \uFDFF`},
 		{`<html>`, `\x3Chtml\x3E`},
+		{`no = in attributes`, `no \x3D in attributes`},
+		{`&#x27; does not become HTML entity`, `\x26#x27; does not become HTML entity`},
 	}
 	for _, tc := range testCases {
 		s := JSEscapeString(tc.in)