html/template: fix escaper bypass by treating empty script type as JavaScript

Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue. Fixes #78981 Fixes CVE-2026-39826 Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836 Reviewed-on: https://go-review.googlesource.com/c/go/+/771180 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2026-06-26 10:50:23 +00:00 · 2026-04-27 17:34:58 -04:00 · 2026-04-27 17:34:58 -04:00 · a63b23ffb2
commit a63b23ffb2
parent 2c59389fcc
2 changed files with 16 additions and 0 deletions
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@ -232,6 +232,21 @@ func TestEscape(t *testing.T) {
 			"<script>alert({{.A}})</script>",
 			`<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`,
 		},
+		{
+			"scriptTypeSpace",
+			"<script type=\" \">{{.H}}</script>",
+			"<script type=\" \">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeTab",
+			"<script type=\"\t\">{{.H}}</script>",
+			"<script type=\"\t\">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeEmpty",
+			"<script type=\"\">{{.H}}</script>",
+			"<script type=\"\">\"\\u003cHello\\u003e\"</script>",
+		},
 		{
 			"jsObjValueNotOverEscaped",
 			"<button onclick='alert({{.A | html}})'>",
--- a/src/html/template/js.go
+++ b/src/html/template/js.go
@ -462,6 +462,7 @@ func isJSType(mimeType string) bool {
 	mimeType = strings.TrimSpace(mimeType)
 	switch mimeType {
 	case
+		"",
 		"application/ecmascript",
 		"application/javascript",
 		"application/json",