html: escape comment and doctype tokens' data Fixes golang/go#48237 Change-Id: I309e3ad30684fb71b9b3e67dfac156da08dbc69b Reviewed-on: https://go-review.googlesource.com/c/net/+/419334 Run-TryBot: Nigel Tao <nigeltao@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Kunpei Sakai <namusyaka@gmail.com> TryBot-Result: Gopher Robot <gobot@golang.org>

commit: 06994584191ebed30077b5176cefe09703557528 [log] [tgz]
author: Nigel Tao <nigeltao@golang.org> Sun Jul 24 21:17:08 2022 +1000
committer: Nigel Tao <nigeltao@golang.org> Tue Jul 26 23:03:23 2022 +0000
tree: 017ade9ac47e64be049c6afc77a6a9ace1b11557
parent: 46097bf591d3ad9985e32e2cac8857dc523f89e1 [diff] [blame]
diff --git a/html/render.go b/html/render.go
index b46d81c..497e132 100644
--- a/html/render.go
+++ b/html/render.go

@@ -85,7 +85,7 @@
 		if _, err := w.WriteString("<!--"); err != nil {
 			return err
 		}
-		if _, err := w.WriteString(n.Data); err != nil {
+		if err := escape(w, n.Data); err != nil {
 			return err
 		}
 		if _, err := w.WriteString("-->"); err != nil {
@@ -96,7 +96,7 @@
 		if _, err := w.WriteString("<!DOCTYPE "); err != nil {
 			return err
 		}
-		if _, err := w.WriteString(n.Data); err != nil {
+		if err := escape(w, n.Data); err != nil {
 			return err
 		}
 		if n.Attr != nil {
commit	06994584191ebed30077b5176cefe09703557528	[log] [tgz]
author	Nigel Tao <nigeltao@golang.org>	Sun Jul 24 21:17:08 2022 +1000
committer	Nigel Tao <nigeltao@golang.org>	Tue Jul 26 23:03:23 2022 +0000
tree	017ade9ac47e64be049c6afc77a6a9ace1b11557
parent	46097bf591d3ad9985e32e2cac8857dc523f89e1 [diff] [blame]