gohugoio
diff --git a/‎scripts/fork_go_templates/main.go‎
Lines changed: 1 addition & 1 deletion b/‎scripts/fork_go_templates/main.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tpl/internal/go_templates/htmltemplate/clone_test.go‎
Lines changed: 2 additions & 2 deletions b/‎tpl/internal/go_templates/htmltemplate/clone_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/content_test.go‎
Lines changed: 3 additions & 3 deletions b/‎tpl/internal/go_templates/htmltemplate/content_test.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/context.go‎
Lines changed: 13 additions & 1 deletion b/‎tpl/internal/go_templates/htmltemplate/context.go‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎tpl/internal/go_templates/htmltemplate/css_test.go‎
Lines changed: 2 additions & 2 deletions b/‎tpl/internal/go_templates/htmltemplate/css_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/escape.go‎
Lines changed: 6 additions & 9 deletions b/‎tpl/internal/go_templates/htmltemplate/escape.go‎
Lines changed: 6 additions & 9 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/escape_test.go‎
Lines changed: 62 additions & 15 deletions b/‎tpl/internal/go_templates/htmltemplate/escape_test.go‎
Lines changed: 62 additions & 15 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/html_test.go‎
Lines changed: 2 additions & 2 deletions b/‎tpl/internal/go_templates/htmltemplate/html_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/js.go‎
Lines changed: 1 addition & 0 deletions b/‎tpl/internal/go_templates/htmltemplate/js.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tpl/internal/go_templates/htmltemplate/js_test.go‎
Lines changed: 4 additions & 3 deletions b/‎tpl/internal/go_templates/htmltemplate/js_test.go‎
Lines changed: 4 additions & 3 deletions
@@ -15,7 +15,7 @@ import (
 )
 
 func main() {
-	// The current is built with e87b10ea2a2c6c65b80c4374af42b9c02ac9fb20 go1.26.1
+	// The current is built with 2dc996f71b0ebafb77e64433e58333e049488a3c go1.26.3
 	// TODO(bep) preserve the staticcheck.conf file.
 	fmt.Println("Forking ...")
 	defer fmt.Println("Done ...")
 
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.13 && !windows
-// +build go1.13,!windows
+//go:build !windows
+// +build !windows
 
 package template
 
 
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.13 && !windows
-// +build go1.13,!windows
+//go:build !windows
+// +build !windows
 
 package template
 
@@ -428,7 +428,7 @@ func TestStringer(t *testing.T) {
 	if err := tmpl.Execute(b, s); err != nil {
 		t.Fatal(err)
 	}
-	var expect = "string=3"
+	expect := "string=3"
 	if b.String() != expect {
 		t.Errorf("expected %q got %q", expect, b.String())
 	}
 
@@ -6,6 +6,7 @@ package template
 
 import (
 	"fmt"
+	"slices"
 
 	"github.com/gohugoio/hugo/tpl/internal/go_templates/texttemplate/parse"
 )
@@ -38,7 +39,7 @@ func (c context) String() string {
 	if c.err != nil {
 		err = c.err
 	}
-	return fmt.Sprintf("{%v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.attr, c.element, err)
+	return fmt.Sprintf("{%v %v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.jsBraceDepth, c.attr, c.element, err)
 }
 
 // eq reports whether two contexts are equal.
@@ -47,6 +48,7 @@ func (c context) eq(d context) bool {
 		c.delim == d.delim &&
 		c.urlPart == d.urlPart &&
 		c.jsCtx == d.jsCtx &&
+		slices.Equal(c.jsBraceDepth, d.jsBraceDepth) &&
 		c.attr == d.attr &&
 		c.element == d.element &&
 		c.err == d.err
@@ -69,6 +71,9 @@ func (c context) mangle(templateName string) string {
 	if c.jsCtx != jsCtxRegexp {
 		s += "_" + c.jsCtx.String()
 	}
+	if c.jsBraceDepth != nil {
+		s += fmt.Sprintf("_jsBraceDepth(%v)", c.jsBraceDepth)
+	}
 	if c.attr != attrNone {
 		s += "_" + c.attr.String()
 	}
@@ -78,6 +83,13 @@ func (c context) mangle(templateName string) string {
 	return s
 }
 
+// clone returns a copy of c with the same field values.
+func (c context) clone() context {
+	clone := c
+	clone.jsBraceDepth = slices.Clone(c.jsBraceDepth)
+	return clone
+}
+
 // state describes a high-level HTML parser state.
 //
 // It bounds the top of the element stack, and by extension the HTML insertion
 
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.13 && !windows
-// +build go1.13,!windows
+//go:build !windows
+// +build !windows
 
 package template
 
 
@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"fmt"
 	"html"
+	//"internal/godebug"
 	"io"
 	"maps"
 	"regexp"
@@ -164,7 +165,9 @@ func (e *escaper) escape(c context, n parse.Node) context {
 	panic("escaping " + n.String() + " is unimplemented")
 }
 
-var htmlmetacontenturlescape = true // godebug.New("htmlmetacontenturlescape")
+//var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp")
+
+var htmlmetacontenturlescape = true //godebug.New("htmlmetacontenturlescape")
 
 // escapeAction escapes an action template node.
 func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
@@ -228,12 +231,6 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
 	case stateMetaContentURL:
 		if htmlmetacontenturlescape {
 			s = append(s, "_html_template_urlfilter")
-		} else {
-			// We don't have a great place to increment this, since it's hard to
-			// know if we actually escape any urls in _html_template_urlfilter,
-			// since it has no information about what context it is being
-			// executed in etc. This is probably the best we can do.
-			// htmlmetacontenturlescape.IncNonDefault()
 		}
 	case stateJS:
 		s = append(s, "_html_template_jsvalescaper")
@@ -521,7 +518,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
 	if nodeName == "range" {
 		e.rangeContext = &rangeContext{outer: e.rangeContext}
 	}
-	c0 := e.escapeList(c, n.List)
+	c0 := e.escapeList(c.clone(), n.List)
 	if nodeName == "range" {
 		if c0.state != stateError {
 			c0 = joinRange(c0, e.rangeContext)
@@ -552,7 +549,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
 			return c0
 		}
 	}
-	c1 := e.escapeList(c, n.ElseList)
+	c1 := e.escapeList(c.clone(), n.ElseList)
 	return join(c0, c1, n, nodeName)
 }
 
 
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.13 && !windows
-// +build go1.13,!windows
+//go:build !windows
+// +build !windows
 
 package template
 
@@ -236,6 +236,21 @@ func TestEscape(t *testing.T) {
 			"<script>alert({{.A}})</script>",
 			`<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`,
 		},
+		{
+			"scriptTypeSpace",
+			"<script type=\" \">{{.H}}</script>",
+			"<script type=\" \">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeTab",
+			"<script type=\"\t\">{{.H}}</script>",
+			"<script type=\"\t\">\"\\u003cHello\\u003e\"</script>",
+		},
+		{
+			"scriptTypeEmpty",
+			"<script type=\"\">{{.H}}</script>",
+			"<script type=\"\">\"\\u003cHello\\u003e\"</script>",
+		},
 		{
 			"jsObjValueNotOverEscaped",
 			"<button onclick='alert({{.A | html}})'>",
@@ -749,6 +764,26 @@ func TestEscape(t *testing.T) {
 			`<meta http-equiv="refresh" content="{{"asd: 123"}}">`,
 			`<meta http-equiv="refresh" content="asd: 123">`,
 		},
+		{
+			"meta content url with whitespace before equals",
+			`<meta http-equiv="refresh" content="0;url ={{"javascript:alert(1)"}}">`,
+			`<meta http-equiv="refresh" content="0;url =#ZgotmplZ">`,
+		},
+		{
+			"meta content url with tab before equals",
+			"<meta http-equiv=\"refresh\" content=\"0;url\t={{\"javascript:alert(1)\"}}\">",
+			"<meta http-equiv=\"refresh\" content=\"0;url\t=#ZgotmplZ\">",
+		},
+		{
+			"meta content url with space after equals",
+			`<meta http-equiv="refresh" content="0;url= {{"javascript:alert(1)"}}">`,
+			`<meta http-equiv="refresh" content="0;url= #ZgotmplZ">`,
+		},
+		{
+			"meta content url with whitespace both sides of equals",
+			"<meta http-equiv=\"refresh\" content=\"0;url \t= {{\"javascript:alert(1)\"}}\">",
+			"<meta http-equiv=\"refresh\" content=\"0;url \t= #ZgotmplZ\">",
+		},
 	}
 
 	for _, test := range tests {
@@ -1189,6 +1224,18 @@ func TestErrors(t *testing.T) {
 			// html is allowed since it is the last command in the pipeline, but urlquery is not.
 			`predefined escaper "urlquery" disallowed in template`,
 		},
+		{
+			"<script>var a = `{{if .X}}`{{end}}",
+			`{{if}} branches end in different contexts`,
+		},
+		{
+			"<script>var a = `{{if .X}}a{{else}}`{{end}}",
+			`{{if}} branches end in different contexts`,
+		},
+		{
+			"<script>var a = `{{if .X}}a{{else}}b{{end}}`</script>",
+			``,
+		},
 	}
 	for _, test := range tests {
 		buf := new(bytes.Buffer)
@@ -1759,43 +1806,43 @@ func TestEscapeText(t *testing.T) {
 		},
 		{
 			"<script>var a = `${",
-			context{state: stateJS, element: elementScript},
+			context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${}",
 			context{state: stateJSTmplLit, element: elementScript},
 		},
 		{
 			"<script>var a = `${`",
-			context{state: stateJSTmplLit, element: elementScript},
+			context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${var a = \"",
-			context{state: stateJSDqStr, element: elementScript},
+			context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${var a = \"`",
-			context{state: stateJSDqStr, element: elementScript},
+			context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${var a = \"}",
-			context{state: stateJSDqStr, element: elementScript},
+			context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${``",
-			context{state: stateJS, element: elementScript},
+			context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${`}",
-			context{state: stateJSTmplLit, element: elementScript},
+			context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>`${ {} } asd`</script><script>`${ {} }",
 			context{state: stateJSTmplLit, element: elementScript},
 		},
 		{
 			"<script>var foo = `${ (_ => { return \"x\" })() + \"${",
-			context{state: stateJSDqStr, element: elementScript},
+			context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var a = `${ {</script><script>var b = `${ x }",
@@ -1823,23 +1870,23 @@ func TestEscapeText(t *testing.T) {
 		},
 		{
 			"<script>`${ { `` }",
-			context{state: stateJS, element: elementScript},
+			context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>`${ { }`",
-			context{state: stateJSTmplLit, element: elementScript},
+			context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}},
 		},
 		{
 			"<script>var foo = `${ foo({ a: { c: `${",
-			context{state: stateJS, element: elementScript},
+			context{state: stateJS, element: elementScript, jsBraceDepth: []int{2, 0}},
 		},
 		{
 			"<script>var foo = `${ foo({ a: { c: `${ {{.}} }` }, b: ",
-			context{state: stateJS, element: elementScript},
+			context{state: stateJS, element: elementScript, jsBraceDepth: []int{1}},
 		},
 		{
 			"<script>`${ `}",
-			context{state: stateJSTmplLit, element: elementScript},
+			context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}},
 		},
 	}
 
 
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.13 && !windows
-// +build go1.13,!windows
+//go:build !windows
+// +build !windows
 
 package template
 
 
@@ -463,6 +463,7 @@ func isJSType(mimeType string) bool {
 	mimeType = strings.TrimSpace(mimeType)
 	switch mimeType {
 	case
+		"",
 		"application/ecmascript",
 		"application/javascript",
 		"application/json",
 
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.13 && !windows
-// +build go1.13,!windows
+//go:build !windows
+// +build !windows
 
 package template
 
@@ -221,7 +221,8 @@ func TestJSStrEscaper(t *testing.T) {
 		{"<!--", `\u003c!--`},
 		{"-->", `--\u003e`},
 		// From https://code.google.com/p/doctype/wiki/ArticleUtf7
-		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+		{
+			"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
 			`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
 		},
 		// Invalid UTF-8 sequence
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import (`
`15`	`15`	`)`
`16`	`16`
`17`	`17`	`func main() {`
`18`		`- // The current is built with e87b10ea2a2c6c65b80c4374af42b9c02ac9fb20 go1.26.1`
	`18`	`+ // The current is built with 2dc996f71b0ebafb77e64433e58333e049488a3c go1.26.3`
`19`	`19`	`// TODO(bep) preserve the staticcheck.conf file.`
`20`	`20`	`fmt.Println("Forking ...")`
`21`	`21`	`defer fmt.Println("Done ...")`