html: only render content literally in the HTML namespace

Per the WHATWG HTML specification, section 13.3, only append the literal
content of a text node if we are in the HTML namespace.

Thanks to Mohammad Thoriq Aziz for reporting this issue.

Fixes golang/go#61615
Fixes CVE-2023-3978

Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
Reviewed-by: Tatiana Bradley <>
Run-TryBot: Roland Shoemaker <>
Reviewed-by: Damien Neil <>
TryBot-Result: Security TryBots <>
Reviewed-by: Roland Shoemaker <>
TryBot-Result: Gopher Robot <>
Run-TryBot: Damien Neil <>
2 files changed
tree: 3c2cb18d731aa71f77aa78f584738f039f59db1c
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. route/
  19. trace/
  20. webdav/
  21. websocket/
  22. xsrftoken/
  23. .gitattributes
  24. .gitignore
  25. codereview.cfg
  27. go.mod
  28. go.sum

Go Networking

Go Reference

This repository holds supplementary Go networking libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see The main issue tracker for the net repository is located at Prefix your issue with “x/net:” in the subject line, so it is easy to find.