From a63b23ffb2eebc9ca3a14c369b615ca623bb20f7 Mon Sep 17 00:00:00 2001
From: Neal Patel <nealpatel@google.com>
Date: Mon, 27 Apr 2026 17:34:58 -0400
Subject: [PATCH] html/template: fix escaper bypass by treating empty script
 type as JavaScript

Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue.

Fixes #78981
Fixes CVE-2026-39826

Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836
Reviewed-on: https://go-review.googlesource.com/c/go/+/771180
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 src/html/template/escape_test.go | 15 +++++++++++++++
 src/html/template/js.go          |  1 +
 2 files changed, 16 insertions(+)

diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
index a39d696c42..aef5e01957 100644
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@@ -232,6 +232,21 @@ func TestEscape(t *testing.T) {
 			"<script>alert({{.A}})</script>",
 			`<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`,
 		},
+		{
+			"scriptTypeSpace",
+			"<script type=\" \">{{.H}}</script>",
+			"<script type=\" \">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeTab",
+			"<script type=\"\t\">{{.H}}</script>",
+			"<script type=\"\t\">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeEmpty",
+			"<script type=\"\">{{.H}}</script>",
+			"<script type=\"\">\"\\u003cHello\\u003e\"</script>",
+		},
 		{
 			"jsObjValueNotOverEscaped",
 			"<button onclick='alert({{.A | html}})'>",
diff --git a/src/html/template/js.go b/src/html/template/js.go
index b3bf94801b..e2db30f966 100644
--- a/src/html/template/js.go
+++ b/src/html/template/js.go
@@ -462,6 +462,7 @@ func isJSType(mimeType string) bool {
 	mimeType = strings.TrimSpace(mimeType)
 	switch mimeType {
 	case
+		"",
 		"application/ecmascript",
 		"application/javascript",
 		"application/json",