html/template: fix bypass for CVE-2026-27142

[thatnealpatel]

CVE-2026-27142 fixed a vulnerability in which URLs were not
correctly escaped inside of a tag's attribute.
If the URL content were to insert ASCII whitespaces around the
= rune inside of the attribute, the escaper would
fail to similarly escape it, leading to XSS.

Dynamic inputs to a tag's attribute are now
whitespace sanitized prior to escaping.

Thanks to Samy Ghannad for reporting this issue.

This is CVE-2026-39823 and Go issue https://go.dev/issue/78913.

---

This was a PUBLIC track issue, tracked in http://b/495820486.

[gopherbot]

Change https://go.dev/cl/769920 mentions this issue: html/template: fix escaping of URLs in meta content attributes

[gabyhelp]

Related Issues

• html/template: URLs in meta content attribute actions are not escaped (CVE-2026-27142) #77954 (closed)

Related Code Changes

• [release-branch.go1.25] html/template: properly escape URLs in meta content attributes

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[thatnealpatel]

Hi @gopherbot, please open backport issues for this security issue.

[gopherbot]

Backport issue(s) opened: #79031 (for 1.25), #79032 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/772100 mentions this issue: [release-branch.go1.25] html/template: fix escaping of URLs in meta content attributes

[gopherbot]

Change https://go.dev/cl/772101 mentions this issue: [release-branch.go1.25] html/template: fix escaping of URLs in meta content attributes

[gopherbot]

Change https://go.dev/cl/772103 mentions this issue: [release-branch.go1.26] html/template: fix escaping of URLs in meta content attributes