go: Fix CVE-2023-39318

Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 (From OE-Core rev: 35fa5c12f86bda2c8542bdb57074f55808697a42) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Siddharth Doshi <sdoshi@mvista.com> 2023-09-25 13:50:33 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-09-30 09:43:59 -1000
commit: 7435f15930cc2ef08bca84a17d44562122cdfc5c (patch)
tree: a228cba42d5eafbddfce8b197d0b1ffa7eb650d8
parent: fe7e47368e796b40aaddd2c2eb79df1e7f46e48c (diff)
download: poky-7435f15930cc2ef08bca84a17d44562122cdfc5c.tar.gz
2 files changed, 239 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index c753a26a7e..ed2645bc12 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -44,6 +44,7 @@ SRC_URI += "\
    file://CVE-2023-24531_2.patch \
    file://CVE-2023-29409.patch \
    file://CVE-2023-39319.patch \
+    file://CVE-2023-39318.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch
new file mode 100644
index 0000000000..85c6ec97c8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch
@@ -0,0 +1,238 @@
+From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:24:13 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
+ comments in script contexts
+Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
+comments in script contexts. Also per section 12.5, support hashbang
+comments. This brings our parsing in-line with how browsers treat these
+comment types.
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+Fixes #62196
+Fixes #62395
+Fixes CVE-2023-39318
+Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
+CVE: CVE-2023-39318
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/html/template/context.go      |  6 ++-
+ src/html/template/escape.go       |  5 +-
+ src/html/template/escape_test.go  | 10 ++++
+ src/html/template/state_string.go |  4 +-
+ src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
+ 5 files changed, 72 insertions(+), 33 deletions(-)
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f5f44a1..feb6517 100644
+--- a/src/html/template/context.go
+++ b/src/html/template/context.go
+@@ -124,6 +124,10 @@ const (
+        stateJSBlockCmt
+        // stateJSLineCmt occurs inside a JavaScript // line comment.
+        stateJSLineCmt
+       // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
+       stateJSHTMLOpenCmt
+       // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
+       stateJSHTMLCloseCmt
+        // stateCSS occurs inside a <style> element or style attribute.
+        stateCSS
+        // stateCSSDqStr occurs inside a CSS double quoted string.
+@@ -149,7 +153,7 @@ const (
+ // authors & maintainers, not for end-users or machines.
+ func isComment(s state) bool {
+        switch s {
+-       case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
+       case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
+                return true
+        }
+        return false
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 1747ec9..b0085ce 100644
+--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
+@@ -721,9 +721,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
+                if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
+                        // Preserve the portion between written and the comment start.
+                        cs := i1 - 2
+-                       if c1.state == stateHTMLCmt {
+                       if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
+                                // "<!--" instead of "/*" or "//"
+                                cs -= 2
+                       } else if c1.state == stateJSHTMLCloseCmt {
+                               // "-->" instead of "/*" or "//"
+                               cs -= 1
+                        }
+                        b.Write(s[written:cs])
+                        written = i1
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index 7853daa..bff38c6 100644
+--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
+@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
+                        "<script>var a/*b*///c\nd</script>",
+                        "<script>var a \nd</script>",
+                },
+               {
+                       "JS HTML-like comments",
+                       "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
+                       "<script>before \nbetween\nbefore\n</script>",
+               },
+               {
+                       "JS hashbang comment",
+                       "<script>#! beep\n</script>",
+                       "<script>\n</script>",
+               },
+                {
+                        "Special tags in <script> string literals",
+                        `<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
+diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
+index 05104be..b5cfe70 100644
+--- a/src/html/template/state_string.go
+++ b/src/html/template/state_string.go
+@@ -4,9 +4,9 @@ package template
+ 
+ import "strconv"
+ 
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+ 
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
+ 
+ func (i state) String() string {
+        if i >= state(len(_state_index)-1) {
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index e2660cc..3d2a37c 100644
+--- a/src/html/template/transition.go
+++ b/src/html/template/transition.go
+@@ -14,32 +14,34 @@ import (
+ // the updated context and the number of bytes consumed from the front of the
+ // input.
+ var transitionFunc = [...]func(context, []byte) (context, int){
+-       stateText:        tText,
+-       stateTag:         tTag,
+-       stateAttrName:    tAttrName,
+-       stateAfterName:   tAfterName,
+-       stateBeforeValue: tBeforeValue,
+-       stateHTMLCmt:     tHTMLCmt,
+-       stateRCDATA:      tSpecialTagEnd,
+-       stateAttr:        tAttr,
+-       stateURL:         tURL,
+-       stateSrcset:      tURL,
+-       stateJS:          tJS,
+-       stateJSDqStr:     tJSDelimited,
+-       stateJSSqStr:     tJSDelimited,
+-       stateJSBqStr:     tJSDelimited,
+-       stateJSRegexp:    tJSDelimited,
+-       stateJSBlockCmt:  tBlockCmt,
+-       stateJSLineCmt:   tLineCmt,
+-       stateCSS:         tCSS,
+-       stateCSSDqStr:    tCSSStr,
+-       stateCSSSqStr:    tCSSStr,
+-       stateCSSDqURL:    tCSSStr,
+-       stateCSSSqURL:    tCSSStr,
+-       stateCSSURL:      tCSSStr,
+-       stateCSSBlockCmt: tBlockCmt,
+-       stateCSSLineCmt:  tLineCmt,
+-       stateError:       tError,
+       stateText:           tText,
+       stateTag:            tTag,
+       stateAttrName:       tAttrName,
+       stateAfterName:      tAfterName,
+       stateBeforeValue:    tBeforeValue,
+       stateHTMLCmt:        tHTMLCmt,
+       stateRCDATA:         tSpecialTagEnd,
+       stateAttr:           tAttr,
+       stateURL:            tURL,
+       stateSrcset:         tURL,
+       stateJS:             tJS,
+       stateJSDqStr:        tJSDelimited,
+       stateJSSqStr:        tJSDelimited,
+       stateJSBqStr:        tJSDelimited,
+       stateJSRegexp:       tJSDelimited,
+       stateJSBlockCmt:     tBlockCmt,
+       stateJSLineCmt:      tLineCmt,
+       stateJSHTMLOpenCmt:  tLineCmt,
+       stateJSHTMLCloseCmt: tLineCmt,
+       stateCSS:            tCSS,
+       stateCSSDqStr:       tCSSStr,
+       stateCSSSqStr:       tCSSStr,
+       stateCSSDqURL:       tCSSStr,
+       stateCSSSqURL:       tCSSStr,
+       stateCSSURL:         tCSSStr,
+       stateCSSBlockCmt:    tBlockCmt,
+       stateCSSLineCmt:     tLineCmt,
+       stateError:          tError,
+ }
+ 
+ var commentStart = []byte("<!--")
+@@ -268,7 +270,7 @@ func tURL(c context, s []byte) (context, int) {
+ 
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-       i := bytes.IndexAny(s, "\"`'/")
+       i := bytes.IndexAny(s, "\"`'/<-#")
+        if i == -1 {
+                // Entire input is non string, comment, regexp tokens.
+                c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -298,6 +300,26 @@ func tJS(c context, s []byte) (context, int) {
+                                err:   errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
+                        }, len(s)
+                }
+       // ECMAScript supports HTML style comments for legacy reasons, see Appendix
+       // B.1.1 "HTML-like Comments". The handling of these comments is somewhat
+       // confusing. Multi-line comments are not supported, i.e. anything on lines
+       // between the opening and closing tokens is not considered a comment, but
+       // anything following the opening or closing token, on the same line, is
+       // ignored. As such we simply treat any line prefixed with "<!--" or "-->"
+       // as if it were actually prefixed with "//" and move on.
+       case '<':
+               if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
+                       c.state, i = stateJSHTMLOpenCmt, i+3
+               }
+       case '-':
+               if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
+                       c.state, i = stateJSHTMLCloseCmt, i+2
+               }
+       // ECMAScript also supports "hashbang" comment lines, see Section 12.5.
+       case '#':
+               if i+1 < len(s) && s[i+1] == '!' {
+                       c.state, i = stateJSLineCmt, i+1
+               }
+        default:
+                panic("unreachable")
+        }
+@@ -387,12 +409,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
+        return c, i + 2
+ }
+ 
+-// tLineCmt is the context transition function for //comment states.
+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
+ func tLineCmt(c context, s []byte) (context, int) {
+        var lineTerminators string
+        var endState state
+        switch c.state {
+-       case stateJSLineCmt:
+       case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
+                lineTerminators, endState = "\n\r\u2028\u2029", stateJS
+        case stateCSSLineCmt:
+                lineTerminators, endState = "\n\f\r", stateCSS
+-- 
+2.35.7
author	Siddharth Doshi <sdoshi@mvista.com>	2023-09-25 13:50:33 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-09-30 09:43:59 -1000
commit	7435f15930cc2ef08bca84a17d44562122cdfc5c (patch)
tree	a228cba42d5eafbddfce8b197d0b1ffa7eb650d8
parent	fe7e47368e796b40aaddd2c2eb79df1e7f46e48c (diff)
download	poky-7435f15930cc2ef08bca84a17d44562122cdfc5c.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c753a26a7e..ed2645bc12 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -44,6 +44,7 @@ SRC_URI += "\
44	file://CVE-2023-24531_2.patch \	44	file://CVE-2023-24531_2.patch \
45	file://CVE-2023-29409.patch \	45	file://CVE-2023-29409.patch \
46	file://CVE-2023-39319.patch \	46	file://CVE-2023-39319.patch \
		47	file://CVE-2023-39318.patch \
47	"	48	"
48	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	49	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
49		50


diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 0000000000..85c6ec97c8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch
@@ -0,0 +1,238 @@
		1	From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <bracewell@google.com>
		3	Date: Thu, 3 Aug 2023 12:24:13 -0700
		4	Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
		5	comments in script contexts
		6
		7	Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
		8	comments in script contexts. Also per section 12.5, support hashbang
		9	comments. This brings our parsing in-line with how browsers treat these
		10	comment types.
		11
		12	Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
		13	reporting this issue.
		14
		15	Fixes #62196
		16	Fixes #62395
		17	Fixes CVE-2023-39318
		18
		19	Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
		20	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
		21	Run-TryBot: Roland Shoemaker <bracewell@google.com>
		22	Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
		23	Reviewed-by: Damien Neil <dneil@google.com>
		24	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
		25	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
		26	Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
		27	Run-TryBot: Cherry Mui <cherryyz@google.com>
		28	TryBot-Result: Gopher Robot <gobot@golang.org>
		29
		30	Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
		31	CVE: CVE-2023-39318
		32	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		33	---
		34	src/html/template/context.go \| 6 ++-
		35	src/html/template/escape.go \| 5 +-
		36	src/html/template/escape_test.go \| 10 ++++
		37	src/html/template/state_string.go \| 4 +-
		38	src/html/template/transition.go \| 80 ++++++++++++++++++++-----------
		39	5 files changed, 72 insertions(+), 33 deletions(-)
		40
		41	diff --git a/src/html/template/context.go b/src/html/template/context.go
		42	index f5f44a1..feb6517 100644
		43	--- a/src/html/template/context.go
		44	+++ b/src/html/template/context.go
		45	@@ -124,6 +124,10 @@ const (
		46	stateJSBlockCmt
		47	// stateJSLineCmt occurs inside a JavaScript // line comment.
		48	stateJSLineCmt
		49	+ // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
		50	+ stateJSHTMLOpenCmt
		51	+ // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
		52	+ stateJSHTMLCloseCmt
		53	// stateCSS occurs inside a <style> element or style attribute.
		54	stateCSS
		55	// stateCSSDqStr occurs inside a CSS double quoted string.
		56	@@ -149,7 +153,7 @@ const (
		57	// authors & maintainers, not for end-users or machines.
		58	func isComment(s state) bool {
		59	switch s {
		60	- case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
		61	+ case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
		62	return true
		63	}
		64	return false
		65	diff --git a/src/html/template/escape.go b/src/html/template/escape.go
		66	index 1747ec9..b0085ce 100644
		67	--- a/src/html/template/escape.go
		68	+++ b/src/html/template/escape.go
		69	@@ -721,9 +721,12 @@ func (e escaper) escapeText(c context, n parse.TextNode) context {
		70	if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
		71	// Preserve the portion between written and the comment start.
		72	cs := i1 - 2
		73	- if c1.state == stateHTMLCmt {
		74	+ if c1.state == stateHTMLCmt \|\| c1.state == stateJSHTMLOpenCmt {
		75	// "<!--" instead of "/*" or "//"
		76	cs -= 2
		77	+ } else if c1.state == stateJSHTMLCloseCmt {
		78	+ // "-->" instead of "/*" or "//"
		79	+ cs -= 1
		80	}
		81	b.Write(s[written:cs])
		82	written = i1
		83	diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
		84	index 7853daa..bff38c6 100644
		85	--- a/src/html/template/escape_test.go
		86	+++ b/src/html/template/escape_test.go
		87	@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
		88	"<script>var a/b///c\nd</script>",
		89	"<script>var a \nd</script>",
		90	},
		91	+ {
		92	+ "JS HTML-like comments",
		93	+ "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
		94	+ "<script>before \nbetween\nbefore\n</script>",
		95	+ },
		96	+ {
		97	+ "JS hashbang comment",
		98	+ "<script>#! beep\n</script>",
		99	+ "<script>\n</script>",
		100	+ },
		101	{
		102	"Special tags in <script> string literals",
		103	`<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
		104	diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
		105	index 05104be..b5cfe70 100644
		106	--- a/src/html/template/state_string.go
		107	+++ b/src/html/template/state_string.go
		108	@@ -4,9 +4,9 @@ package template
		109
		110	import "strconv"
		111
		112	-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
		113	+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
		114
		115	-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
		116	+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
		117
		118	func (i state) String() string {
		119	if i >= state(len(_state_index)-1) {
		120	diff --git a/src/html/template/transition.go b/src/html/template/transition.go
		121	index e2660cc..3d2a37c 100644
		122	--- a/src/html/template/transition.go
		123	+++ b/src/html/template/transition.go
		124	@@ -14,32 +14,34 @@ import (
		125	// the updated context and the number of bytes consumed from the front of the
		126	// input.
		127	var transitionFunc = [...]func(context, []byte) (context, int){
		128	- stateText: tText,
		129	- stateTag: tTag,
		130	- stateAttrName: tAttrName,
		131	- stateAfterName: tAfterName,
		132	- stateBeforeValue: tBeforeValue,
		133	- stateHTMLCmt: tHTMLCmt,
		134	- stateRCDATA: tSpecialTagEnd,
		135	- stateAttr: tAttr,
		136	- stateURL: tURL,
		137	- stateSrcset: tURL,
		138	- stateJS: tJS,
		139	- stateJSDqStr: tJSDelimited,
		140	- stateJSSqStr: tJSDelimited,
		141	- stateJSBqStr: tJSDelimited,
		142	- stateJSRegexp: tJSDelimited,
		143	- stateJSBlockCmt: tBlockCmt,
		144	- stateJSLineCmt: tLineCmt,
		145	- stateCSS: tCSS,
		146	- stateCSSDqStr: tCSSStr,
		147	- stateCSSSqStr: tCSSStr,
		148	- stateCSSDqURL: tCSSStr,
		149	- stateCSSSqURL: tCSSStr,
		150	- stateCSSURL: tCSSStr,
		151	- stateCSSBlockCmt: tBlockCmt,
		152	- stateCSSLineCmt: tLineCmt,
		153	- stateError: tError,
		154	+ stateText: tText,
		155	+ stateTag: tTag,
		156	+ stateAttrName: tAttrName,
		157	+ stateAfterName: tAfterName,
		158	+ stateBeforeValue: tBeforeValue,
		159	+ stateHTMLCmt: tHTMLCmt,
		160	+ stateRCDATA: tSpecialTagEnd,
		161	+ stateAttr: tAttr,
		162	+ stateURL: tURL,
		163	+ stateSrcset: tURL,
		164	+ stateJS: tJS,
		165	+ stateJSDqStr: tJSDelimited,
		166	+ stateJSSqStr: tJSDelimited,
		167	+ stateJSBqStr: tJSDelimited,
		168	+ stateJSRegexp: tJSDelimited,
		169	+ stateJSBlockCmt: tBlockCmt,
		170	+ stateJSLineCmt: tLineCmt,
		171	+ stateJSHTMLOpenCmt: tLineCmt,
		172	+ stateJSHTMLCloseCmt: tLineCmt,
		173	+ stateCSS: tCSS,
		174	+ stateCSSDqStr: tCSSStr,
		175	+ stateCSSSqStr: tCSSStr,
		176	+ stateCSSDqURL: tCSSStr,
		177	+ stateCSSSqURL: tCSSStr,
		178	+ stateCSSURL: tCSSStr,
		179	+ stateCSSBlockCmt: tBlockCmt,
		180	+ stateCSSLineCmt: tLineCmt,
		181	+ stateError: tError,
		182	}
		183
		184	var commentStart = []byte("<!--")
		185	@@ -268,7 +270,7 @@ func tURL(c context, s []byte) (context, int) {
		186
		187	// tJS is the context transition function for the JS state.
		188	func tJS(c context, s []byte) (context, int) {
		189	- i := bytes.IndexAny(s, "\"`'/")
		190	+ i := bytes.IndexAny(s, "\"`'/<-#")
		191	if i == -1 {
		192	// Entire input is non string, comment, regexp tokens.
		193	c.jsCtx = nextJSCtx(s, c.jsCtx)
		194	@@ -298,6 +300,26 @@ func tJS(c context, s []byte) (context, int) {
		195	err: errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
		196	}, len(s)
		197	}
		198	+ // ECMAScript supports HTML style comments for legacy reasons, see Appendix
		199	+ // B.1.1 "HTML-like Comments". The handling of these comments is somewhat
		200	+ // confusing. Multi-line comments are not supported, i.e. anything on lines
		201	+ // between the opening and closing tokens is not considered a comment, but
		202	+ // anything following the opening or closing token, on the same line, is
		203	+ // ignored. As such we simply treat any line prefixed with "<!--" or "-->"
		204	+ // as if it were actually prefixed with "//" and move on.
		205	+ case '<':
		206	+ if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
		207	+ c.state, i = stateJSHTMLOpenCmt, i+3
		208	+ }
		209	+ case '-':
		210	+ if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
		211	+ c.state, i = stateJSHTMLCloseCmt, i+2
		212	+ }
		213	+ // ECMAScript also supports "hashbang" comment lines, see Section 12.5.
		214	+ case '#':
		215	+ if i+1 < len(s) && s[i+1] == '!' {
		216	+ c.state, i = stateJSLineCmt, i+1
		217	+ }
		218	default:
		219	panic("unreachable")
		220	}
		221	@@ -387,12 +409,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
		222	return c, i + 2
		223	}
		224
		225	-// tLineCmt is the context transition function for //comment states.
		226	+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
		227	func tLineCmt(c context, s []byte) (context, int) {
		228	var lineTerminators string
		229	var endState state
		230	switch c.state {
		231	- case stateJSLineCmt:
		232	+ case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
		233	lineTerminators, endState = "\n\r\u2028\u2029", stateJS
		234	case stateCSSLineCmt:
		235	lineTerminators, endState = "\n\f\r", stateCSS
		236	--
		237	2.35.7
		238