html/template: escaper bypass enables XSS via `type=""` attribute in `<script>`

[thatnealpatel]

If a trusted template author were to write a <script>
tag containing an empty type attribute or a type
attribute with an ASCII whitespace, the execution of
the template would incorrectly escape any data passed
into the <script> block.

Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.

This is CVE-2026-39826 and Go issue https://go.dev/issue/78981.

---

This was a PUBLIC track issue, tracked in http://b/496225621.

[gopherbot]

Change https://go.dev/cl/771180 mentions this issue: html/template: fix escaper bypass by treating empty script type as JavaScript

[gabyhelp]

Related Issues

• html/template: improper handling of special tags within script contexts (CVE-2023-39319) #62197 (closed)
• html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) #62196 (closed)
• html/template: fix bypass for CVE-2026-27142 #78913
• html/template: JS template literal context incorrectly tracked #78331 (closed)
• html/template: URLs in meta content attribute actions are not escaped (CVE-2026-27142) #77954 (closed)
• x/net/html: text nodes outside of the HTML namespace improperly rendered #61615 (closed)
• html/template: incorrect duplicate type attribute processing in <script> tags leading to insufficient escaping #78039
• html/template: improper sanitization of CSS values #59720 (closed)
• html/template: improper handling of empty HTML attributes #59722 (closed)

Related Code Changes

• html/template: fix escaper bypass by treating empty script type as JavaScript

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[thatnealpatel]

Hi @gopherbot, please open backport issues for this security issue.

[gopherbot]

Backport issue(s) opened: #79024 (for 1.25), #79025 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/772021 mentions this issue: [release-branch.go1.25] html/template: fix escaper bypass by treating empty script type as JavaScript

[gopherbot]

Change https://go.dev/cl/772042 mentions this issue: [release-branch.go1.26] html/template: fix escaper bypass by treating empty script type as JavaScript