html/template: improper handling of special tags within script contexts (CVE-2023-39319)

[rolandshoemaker]

The html/template package did not apply the proper rules for handling occurances
of "<script", "<!--", and "</script" within JS literals in <script> contexts.
This may cause the template parser to improperly consider script contexts to be
terminated early, causing actions to be improperly escaped. This could be
leveraged to perform an XSS attack.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.

This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

---

This is a PRIVATE issue for CVE-2023-39319, tracked in http://b/293889520 and fixed by http://tg/c/1976594.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #62397 (for 1.20), #62398 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/526097 mentions this issue: [release-branch.go1.21] html/template: properly handle special tags within the script context

[gopherbot]

Change https://go.dev/cl/526099 mentions this issue: [release-branch.go1.20] html/template: properly handle special tags within the script context

[gopherbot]

Change https://go.dev/cl/526157 mentions this issue: html/template: properly handle special tags within the script context