html/template: escape JS in application/json script tag

nodirt · bradfitz · commit 37dbc7b49cbc · 2016-12-04T02:33:58.000Z
Since ffd1c78 HTML templates check MIME type in the "type" attribute of "script" tag to decide if contents should be escaped as JavaScript. The whitelist of MIME types did not include application/json. Include it in this CL. Fixes golang#18159 Change-Id: I17a8a38f2b7789b4b7e941d14279de222eaf2b6a Reviewed-on: https://go-review.googlesource.com/33899 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
diff --git a/src/html/template/js.go b/src/html/template/js.go
@@ -368,9 +368,10 @@ func isJSIdentPart(r rune) bool {
 // It is used to determine whether a script tag with a type attribute is a javascript container.
 func isJSType(mimeType string) bool {
 	// per
-	//   http://www.w3.org/TR/html5/scripting-1.html#attr-script-type
+	//   https://www.w3.org/TR/html5/scripting-1.html#attr-script-type
 	//   https://tools.ietf.org/html/rfc7231#section-3.1.1
-	//   http://tools.ietf.org/html/rfc4329#section-3
+	//   https://tools.ietf.org/html/rfc4329#section-3
+	//   https://www.ietf.org/rfc/rfc4627.txt
 
 	// discard parameters
 	if i := strings.Index(mimeType, ";"); i >= 0 {
@@ -381,6 +382,7 @@ func isJSType(mimeType string) bool {
 	case
 		"application/ecmascript",
 		"application/javascript",
+		"application/json",
 		"application/x-ecmascript",
 		"application/x-javascript",
 		"text/ecmascript",
