1 files changed, 262 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
new file mode 100644
index 0000000000..00def8fcda
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -0,0 +1,262 @@
+From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:24:13 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
+ comments in script contexts
+Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
+comments in script contexts. Also per section 12.5, support hashbang
+comments. This brings our parsing in-line with how browsers treat these
+comment types.
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+Fixes #62196
+Fixes #62395
+Fixes CVE-2023-39318
+Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
+CVE: CVE-2023-39318
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/html/template/context.go      |  6 ++-
+ src/html/template/escape.go       |  5 +-
+ src/html/template/escape_test.go  | 10 ++++
+ src/html/template/state_string.go | 26 +++++-----
+ src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
+ 5 files changed, 84 insertions(+), 43 deletions(-)
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index 0b65313..4eb7891 100644
+--- a/src/html/template/context.go
+++ b/src/html/template/context.go
+@@ -124,6 +124,10 @@ const (
+        stateJSBlockCmt
+        // stateJSLineCmt occurs inside a JavaScript // line comment.
+        stateJSLineCmt
+       // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
+       stateJSHTMLOpenCmt
+       // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
+       stateJSHTMLCloseCmt
+        // stateCSS occurs inside a <style> element or style attribute.
+        stateCSS
+        // stateCSSDqStr occurs inside a CSS double quoted string.
+@@ -149,7 +153,7 @@ const (
+ // authors & maintainers, not for end-users or machines.
+ func isComment(s state) bool {
+        switch s {
+-       case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
+       case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
+                return true
+        }
+        return false
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 435f912..ad2ec69 100644
+--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
+@@ -698,9 +698,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
+                if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
+                        // Preserve the portion between written and the comment start.
+                        cs := i1 - 2
+-                       if c1.state == stateHTMLCmt {
+                       if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
+                                // "<!--" instead of "/*" or "//"
+                                cs -= 2
+                       } else if c1.state == stateJSHTMLCloseCmt {
+                               // "-->" instead of "/*" or "//"
+                               cs -= 1
+                        }
+                        b.Write(s[written:cs])
+                        written = i1
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index f550691..5f41e52 100644
+--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
+@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
+                        "<script>var a/*b*///c\nd</script>",
+                        "<script>var a \nd</script>",
+                },
+               {
+                       "JS HTML-like comments",
+                       "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
+                       "<script>before \nbetween\nbefore\n</script>",
+               },
+               {
+                       "JS hashbang comment",
+                       "<script>#! beep\n</script>",
+                       "<script>\n</script>",
+               },
+                {
+                        "CSS comments",
+                        "<style>p// paragraph\n" +
+diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
+index 05104be..b5cfe70 100644
+--- a/src/html/template/state_string.go
+++ b/src/html/template/state_string.go
+@@ -25,21 +25,23 @@ func _() {
+        _ = x[stateJSRegexp-14]
+        _ = x[stateJSBlockCmt-15]
+        _ = x[stateJSLineCmt-16]
+-       _ = x[stateCSS-17]
+-       _ = x[stateCSSDqStr-18]
+-       _ = x[stateCSSSqStr-19]
+-       _ = x[stateCSSDqURL-20]
+-       _ = x[stateCSSSqURL-21]
+-       _ = x[stateCSSURL-22]
+-       _ = x[stateCSSBlockCmt-23]
+-       _ = x[stateCSSLineCmt-24]
+-       _ = x[stateError-25]
+-       _ = x[stateDead-26]
+       _ = x[stateJSHTMLOpenCmt-17]
+       _ = x[stateJSHTMLCloseCmt-18]
+       _ = x[stateCSS-19]
+       _ = x[stateCSSDqStr-20]
+       _ = x[stateCSSSqStr-21]
+       _ = x[stateCSSDqURL-22]
+       _ = x[stateCSSSqURL-23]
+       _ = x[stateCSSURL-24]
+       _ = x[stateCSSBlockCmt-25]
+       _ = x[stateCSSLineCmt-26]
+       _ = x[stateError-27]
+       _ = x[stateDead-28]
+ }
+ 
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+ 
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
+ 
+ func (i state) String() string {
+        if i >= state(len(_state_index)-1) {
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 92eb351..12aa4c4 100644
+--- a/src/html/template/transition.go
+++ b/src/html/template/transition.go
+@@ -14,32 +14,34 @@ import (
+ // the updated context and the number of bytes consumed from the front of the
+ // input.
+ var transitionFunc = [...]func(context, []byte) (context, int){
+-       stateText:        tText,
+-       stateTag:         tTag,
+-       stateAttrName:    tAttrName,
+-       stateAfterName:   tAfterName,
+-       stateBeforeValue: tBeforeValue,
+-       stateHTMLCmt:     tHTMLCmt,
+-       stateRCDATA:      tSpecialTagEnd,
+-       stateAttr:        tAttr,
+-       stateURL:         tURL,
+-       stateSrcset:      tURL,
+-       stateJS:          tJS,
+-       stateJSDqStr:     tJSDelimited,
+-       stateJSSqStr:     tJSDelimited,
+-       stateJSBqStr:     tJSDelimited,
+-       stateJSRegexp:    tJSDelimited,
+-       stateJSBlockCmt:  tBlockCmt,
+-       stateJSLineCmt:   tLineCmt,
+-       stateCSS:         tCSS,
+-       stateCSSDqStr:    tCSSStr,
+-       stateCSSSqStr:    tCSSStr,
+-       stateCSSDqURL:    tCSSStr,
+-       stateCSSSqURL:    tCSSStr,
+-       stateCSSURL:      tCSSStr,
+-       stateCSSBlockCmt: tBlockCmt,
+-       stateCSSLineCmt:  tLineCmt,
+-       stateError:       tError,
+       stateText:           tText,
+       stateTag:            tTag,
+       stateAttrName:       tAttrName,
+       stateAfterName:      tAfterName,
+       stateBeforeValue:    tBeforeValue,
+       stateHTMLCmt:        tHTMLCmt,
+       stateRCDATA:         tSpecialTagEnd,
+       stateAttr:           tAttr,
+       stateURL:            tURL,
+       stateSrcset:         tURL,
+       stateJS:             tJS,
+       stateJSDqStr:        tJSDelimited,
+       stateJSSqStr:        tJSDelimited,
+       stateJSBqStr:        tJSDelimited,
+       stateJSRegexp:       tJSDelimited,
+       stateJSBlockCmt:     tBlockCmt,
+       stateJSLineCmt:      tLineCmt,
+       stateJSHTMLOpenCmt:  tLineCmt,
+       stateJSHTMLCloseCmt: tLineCmt,
+       stateCSS:            tCSS,
+       stateCSSDqStr:       tCSSStr,
+       stateCSSSqStr:       tCSSStr,
+       stateCSSDqURL:       tCSSStr,
+       stateCSSSqURL:       tCSSStr,
+       stateCSSURL:         tCSSStr,
+       stateCSSBlockCmt:    tBlockCmt,
+       stateCSSLineCmt:     tLineCmt,
+       stateError:          tError,
+ }
+ 
+ var commentStart = []byte("<!--")
+@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
+ 
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-       i := bytes.IndexAny(s, "\"`'/")
+       i := bytes.IndexAny(s, "\"`'/<-#")
+        if i == -1 {
+                // Entire input is non string, comment, regexp tokens.
+                c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
+                                err:   errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
+                        }, len(s)
+                }
+       // ECMAScript supports HTML style comments for legacy reasons, see Appendix
+       // B.1.1 "HTML-like Comments". The handling of these comments is somewhat
+       // confusing. Multi-line comments are not supported, i.e. anything on lines
+       // between the opening and closing tokens is not considered a comment, but
+       // anything following the opening or closing token, on the same line, is
+       // ignored. As such we simply treat any line prefixed with "<!--" or "-->"
+       // as if it were actually prefixed with "//" and move on.
+       case '<':
+               if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
+                       c.state, i = stateJSHTMLOpenCmt, i+3
+               }
+       case '-':
+               if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
+                       c.state, i = stateJSHTMLCloseCmt, i+2
+               }
+       // ECMAScript also supports "hashbang" comment lines, see Section 12.5.
+       case '#':
+               if i+1 < len(s) && s[i+1] == '!' {
+                       c.state, i = stateJSLineCmt, i+1
+               }
+        default:
+                panic("unreachable")
+        }
+@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
+        return c, i + 2
+ }
+ 
+-// tLineCmt is the context transition function for //comment states.
+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
+ func tLineCmt(c context, s []byte) (context, int) {
+        var lineTerminators string
+        var endState state
+        switch c.state {
+-       case stateJSLineCmt:
+       case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
+                lineTerminators, endState = "\n\r\u2028\u2029", stateJS
+        case stateCSSLineCmt:
+                lineTerminators, endState = "\n\f\r", stateCSS
+-- 
+2.24.4

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch new file mode 100644 index 0000000000..00def8fcda --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -0,0 +1,262 @@
	1	From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
	2	From: Roland Shoemaker <bracewell@google.com>
	3	Date: Thu, 3 Aug 2023 12:24:13 -0700
	4	Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
	5	comments in script contexts
	6
	7	Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
	8	comments in script contexts. Also per section 12.5, support hashbang
	9	comments. This brings our parsing in-line with how browsers treat these
	10	comment types.
	11
	12	Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
	13	reporting this issue.
	14
	15	Fixes #62196
	16	Fixes #62395
	17	Fixes CVE-2023-39318
	18
	19	Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
	20	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
	21	Run-TryBot: Roland Shoemaker <bracewell@google.com>
	22	Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
	23	Reviewed-by: Damien Neil <dneil@google.com>
	24	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
	25	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
	26	Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
	27	Run-TryBot: Cherry Mui <cherryyz@google.com>
	28	TryBot-Result: Gopher Robot <gobot@golang.org>
	29
	30	Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
	31	CVE: CVE-2023-39318
	32	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	33	---
	34	src/html/template/context.go \| 6 ++-
	35	src/html/template/escape.go \| 5 +-
	36	src/html/template/escape_test.go \| 10 ++++
	37	src/html/template/state_string.go \| 26 +++++-----
	38	src/html/template/transition.go \| 80 ++++++++++++++++++++-----------
	39	5 files changed, 84 insertions(+), 43 deletions(-)
	40
	41	diff --git a/src/html/template/context.go b/src/html/template/context.go
	42	index 0b65313..4eb7891 100644
	43	--- a/src/html/template/context.go
	44	+++ b/src/html/template/context.go
	45	@@ -124,6 +124,10 @@ const (
	46	stateJSBlockCmt
	47	// stateJSLineCmt occurs inside a JavaScript // line comment.
	48	stateJSLineCmt
	49	+ // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
	50	+ stateJSHTMLOpenCmt
	51	+ // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
	52	+ stateJSHTMLCloseCmt
	53	// stateCSS occurs inside a <style> element or style attribute.
	54	stateCSS
	55	// stateCSSDqStr occurs inside a CSS double quoted string.
	56	@@ -149,7 +153,7 @@ const (
	57	// authors & maintainers, not for end-users or machines.
	58	func isComment(s state) bool {
	59	switch s {
	60	- case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
	61	+ case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
	62	return true
	63	}
	64	return false
	65	diff --git a/src/html/template/escape.go b/src/html/template/escape.go
	66	index 435f912..ad2ec69 100644
	67	--- a/src/html/template/escape.go
	68	+++ b/src/html/template/escape.go
	69	@@ -698,9 +698,12 @@ func (e escaper) escapeText(c context, n parse.TextNode) context {
	70	if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
	71	// Preserve the portion between written and the comment start.
	72	cs := i1 - 2
	73	- if c1.state == stateHTMLCmt {
	74	+ if c1.state == stateHTMLCmt \|\| c1.state == stateJSHTMLOpenCmt {
	75	// "<!--" instead of "/*" or "//"
	76	cs -= 2
	77	+ } else if c1.state == stateJSHTMLCloseCmt {
	78	+ // "-->" instead of "/*" or "//"
	79	+ cs -= 1
	80	}
	81	b.Write(s[written:cs])
	82	written = i1
	83	diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
	84	index f550691..5f41e52 100644
	85	--- a/src/html/template/escape_test.go
	86	+++ b/src/html/template/escape_test.go
	87	@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
	88	"<script>var a/b///c\nd</script>",
	89	"<script>var a \nd</script>",
	90	},
	91	+ {
	92	+ "JS HTML-like comments",
	93	+ "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
	94	+ "<script>before \nbetween\nbefore\n</script>",
	95	+ },
	96	+ {
	97	+ "JS hashbang comment",
	98	+ "<script>#! beep\n</script>",
	99	+ "<script>\n</script>",
	100	+ },
	101	{
	102	"CSS comments",
	103	"<style>p// paragraph\n" +
	104	diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
	105	index 05104be..b5cfe70 100644
	106	--- a/src/html/template/state_string.go
	107	+++ b/src/html/template/state_string.go
	108	@@ -25,21 +25,23 @@ func _() {
	109	_ = x[stateJSRegexp-14]
	110	_ = x[stateJSBlockCmt-15]
	111	_ = x[stateJSLineCmt-16]
	112	- _ = x[stateCSS-17]
	113	- _ = x[stateCSSDqStr-18]
	114	- _ = x[stateCSSSqStr-19]
	115	- _ = x[stateCSSDqURL-20]
	116	- _ = x[stateCSSSqURL-21]
	117	- _ = x[stateCSSURL-22]
	118	- _ = x[stateCSSBlockCmt-23]
	119	- _ = x[stateCSSLineCmt-24]
	120	- _ = x[stateError-25]
	121	- _ = x[stateDead-26]
	122	+ _ = x[stateJSHTMLOpenCmt-17]
	123	+ _ = x[stateJSHTMLCloseCmt-18]
	124	+ _ = x[stateCSS-19]
	125	+ _ = x[stateCSSDqStr-20]
	126	+ _ = x[stateCSSSqStr-21]
	127	+ _ = x[stateCSSDqURL-22]
	128	+ _ = x[stateCSSSqURL-23]
	129	+ _ = x[stateCSSURL-24]
	130	+ _ = x[stateCSSBlockCmt-25]
	131	+ _ = x[stateCSSLineCmt-26]
	132	+ _ = x[stateError-27]
	133	+ _ = x[stateDead-28]
	134	}
	135
	136	-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
	137	+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
	138
	139	-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
	140	+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
	141
	142	func (i state) String() string {
	143	if i >= state(len(_state_index)-1) {
	144	diff --git a/src/html/template/transition.go b/src/html/template/transition.go
	145	index 92eb351..12aa4c4 100644
	146	--- a/src/html/template/transition.go
	147	+++ b/src/html/template/transition.go
	148	@@ -14,32 +14,34 @@ import (
	149	// the updated context and the number of bytes consumed from the front of the
	150	// input.
	151	var transitionFunc = [...]func(context, []byte) (context, int){
	152	- stateText: tText,
	153	- stateTag: tTag,
	154	- stateAttrName: tAttrName,
	155	- stateAfterName: tAfterName,
	156	- stateBeforeValue: tBeforeValue,
	157	- stateHTMLCmt: tHTMLCmt,
	158	- stateRCDATA: tSpecialTagEnd,
	159	- stateAttr: tAttr,
	160	- stateURL: tURL,
	161	- stateSrcset: tURL,
	162	- stateJS: tJS,
	163	- stateJSDqStr: tJSDelimited,
	164	- stateJSSqStr: tJSDelimited,
	165	- stateJSBqStr: tJSDelimited,
	166	- stateJSRegexp: tJSDelimited,
	167	- stateJSBlockCmt: tBlockCmt,
	168	- stateJSLineCmt: tLineCmt,
	169	- stateCSS: tCSS,
	170	- stateCSSDqStr: tCSSStr,
	171	- stateCSSSqStr: tCSSStr,
	172	- stateCSSDqURL: tCSSStr,
	173	- stateCSSSqURL: tCSSStr,
	174	- stateCSSURL: tCSSStr,
	175	- stateCSSBlockCmt: tBlockCmt,
	176	- stateCSSLineCmt: tLineCmt,
	177	- stateError: tError,
	178	+ stateText: tText,
	179	+ stateTag: tTag,
	180	+ stateAttrName: tAttrName,
	181	+ stateAfterName: tAfterName,
	182	+ stateBeforeValue: tBeforeValue,
	183	+ stateHTMLCmt: tHTMLCmt,
	184	+ stateRCDATA: tSpecialTagEnd,
	185	+ stateAttr: tAttr,
	186	+ stateURL: tURL,
	187	+ stateSrcset: tURL,
	188	+ stateJS: tJS,
	189	+ stateJSDqStr: tJSDelimited,
	190	+ stateJSSqStr: tJSDelimited,
	191	+ stateJSBqStr: tJSDelimited,
	192	+ stateJSRegexp: tJSDelimited,
	193	+ stateJSBlockCmt: tBlockCmt,
	194	+ stateJSLineCmt: tLineCmt,
	195	+ stateJSHTMLOpenCmt: tLineCmt,
	196	+ stateJSHTMLCloseCmt: tLineCmt,
	197	+ stateCSS: tCSS,
	198	+ stateCSSDqStr: tCSSStr,
	199	+ stateCSSSqStr: tCSSStr,
	200	+ stateCSSDqURL: tCSSStr,
	201	+ stateCSSSqURL: tCSSStr,
	202	+ stateCSSURL: tCSSStr,
	203	+ stateCSSBlockCmt: tBlockCmt,
	204	+ stateCSSLineCmt: tLineCmt,
	205	+ stateError: tError,
	206	}
	207
	208	var commentStart = []byte("<!--")
	209	@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
	210
	211	// tJS is the context transition function for the JS state.
	212	func tJS(c context, s []byte) (context, int) {
	213	- i := bytes.IndexAny(s, "\"`'/")
	214	+ i := bytes.IndexAny(s, "\"`'/<-#")
	215	if i == -1 {
	216	// Entire input is non string, comment, regexp tokens.
	217	c.jsCtx = nextJSCtx(s, c.jsCtx)
	218	@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
	219	err: errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
	220	}, len(s)
	221	}
	222	+ // ECMAScript supports HTML style comments for legacy reasons, see Appendix
	223	+ // B.1.1 "HTML-like Comments". The handling of these comments is somewhat
	224	+ // confusing. Multi-line comments are not supported, i.e. anything on lines
	225	+ // between the opening and closing tokens is not considered a comment, but
	226	+ // anything following the opening or closing token, on the same line, is
	227	+ // ignored. As such we simply treat any line prefixed with "<!--" or "-->"
	228	+ // as if it were actually prefixed with "//" and move on.
	229	+ case '<':
	230	+ if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
	231	+ c.state, i = stateJSHTMLOpenCmt, i+3
	232	+ }
	233	+ case '-':
	234	+ if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
	235	+ c.state, i = stateJSHTMLCloseCmt, i+2
	236	+ }
	237	+ // ECMAScript also supports "hashbang" comment lines, see Section 12.5.
	238	+ case '#':
	239	+ if i+1 < len(s) && s[i+1] == '!' {
	240	+ c.state, i = stateJSLineCmt, i+1
	241	+ }
	242	default:
	243	panic("unreachable")
	244	}
	245	@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
	246	return c, i + 2
	247	}
	248
	249	-// tLineCmt is the context transition function for //comment states.
	250	+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
	251	func tLineCmt(c context, s []byte) (context, int) {
	252	var lineTerminators string
	253	var endState state
	254	switch c.state {
	255	- case stateJSLineCmt:
	256	+ case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
	257	lineTerminators, endState = "\n\r\u2028\u2029", stateJS
	258	case stateCSSLineCmt:
	259	lineTerminators, endState = "\n\f\r", stateCSS
	260	--
	261	2.24.4
	262