html/template: example for disallowed script type change

Fixes #59112 Change-Id: I617f8a4581a55a0f134f488462f415ec22eb4ee3 Reviewed-on: https://go-review.googlesource.com/c/go/+/496145 Reviewed-by: Junyang Shao <shaojunyang@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Lance Taylor <iant@google.com>
2025-05-05 15:43:04 +00:00 · 2023-05-19 20:11:19 +01:00 · 2023-05-19 20:11:19 +01:00 · f7204d76bc
commit f7204d76bc
parent 061efaa8a7
1 changed files with 5 additions and 2 deletions
--- a/src/html/template/error.go
+++ b/src/html/template/error.go
@ -79,15 +79,18 @@ const (
 	ErrBadHTML

 	// ErrBranchEnd: "{{if}} branches end in different contexts"
-	// Example:
+	// Examples:
 	//   {{if .C}}<a href="{{end}}{{.X}}
+	//   <script {{with .T}}type="{{.}}"{{end}}>
 	// Discussion:
 	//   Package html/template statically examines each path through an
 	//   {{if}}, {{range}}, or {{with}} to escape any following pipelines.
-	//   The example is ambiguous since {{.X}} might be an HTML text node,
+	//   The first example is ambiguous since {{.X}} might be an HTML text node,
 	//   or a URL prefix in an HTML attribute. The context of {{.X}} is
 	//   used to figure out how to escape it, but that context depends on
 	//   the run-time value of {{.C}} which is not statically known.
+	//   The second example is ambiguous as the script type attribute
+	//   can change the type of escaping needed for the script contents.
 	//
 	//   The problem is usually something like missing quotes or angle
 	//   brackets, or can be avoided by refactoring to put the two contexts