html: UnescapeString unescapes HTML character references without a final semicolon in an attribute #40320
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?What did you do?
this is related to #21563
https://play.golang.com/p/Fh08ftsK9YQ
pass the string "<a href=example.com?param=value×tamp=123>link" to html.UnescapeString
What did you expect to see?
according to https://html.spec.whatwg.org/multipage/parsing.html#character-reference-state
in an attribute, no character reference is parsed and string remains intact
it seems like an attempt was made to do this, but attribute is a constant?
https://golang.org/src/html/escape.go?s=1296:1319#L57
https://golang.org/src/html/escape.go?s=3112:3194#L142
I would expect the same string to come back
What did you see instead?
× is changed to ×
The text was updated successfully, but these errors were encountered: