golang
diff --git a/‎src/html/template/content_test.go
Lines changed: 35 additions & 35 deletions b/‎src/html/template/content_test.go
Lines changed: 35 additions & 35 deletions
diff --git a/‎src/html/template/escape_test.go
Lines changed: 3 additions & 3 deletions b/‎src/html/template/escape_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/html/template/example_test.go
Lines changed: 3 additions & 3 deletions b/‎src/html/template/example_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/html/template/js.go
Lines changed: 42 additions & 28 deletions b/‎src/html/template/js.go
Lines changed: 42 additions & 28 deletions
@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
 		HTML(`Hello, <b>World</b> &amp;tc!`),
 		HTMLAttr(` dir="ltr"`),
 		JS(`c && alert("Hello, World!");`),
-		JSStr(`Hello, World & O'Reilly\x21`),
+		JSStr(`Hello, World & O'Reilly\u0021`),
 		URL(`greeting=H%69,&addressee=(World)`),
 		Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
 		URL(`,foo/,`),
@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello, <b>World</b> &amp;tc!`,
 				` dir=&#34;ltr&#34;`,
 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
-				`Hello, World &amp; O&#39;Reilly\x21`,
+				`Hello, World &amp; O&#39;Reilly\u0021`,
 				`greeting=H%69,&amp;addressee=(World)`,
 				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
 				`,foo/,`,
@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello,&#32;World&#32;&amp;tc!`,
 				`&#32;dir&#61;&#34;ltr&#34;`,
 				`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
-				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
+				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
 				`greeting&#61;H%69,&amp;addressee&#61;(World)`,
 				`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
 				`,foo/,`,
@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello, World &amp;tc!`,
 				` dir=&#34;ltr&#34;`,
 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
-				`Hello, World &amp; O&#39;Reilly\x21`,
+				`Hello, World &amp; O&#39;Reilly\u0021`,
 				`greeting=H%69,&amp;addressee=(World)`,
 				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
 				`,foo/,`,
@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
 				` dir=&#34;ltr&#34;`,
 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
-				`Hello, World &amp; O&#39;Reilly\x21`,
+				`Hello, World &amp; O&#39;Reilly\u0021`,
 				`greeting=H%69,&amp;addressee=(World)`,
 				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
 				`,foo/,`,
@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
 				// Not escaped.
 				`c && alert("Hello, World!");`,
 				// Escape sequence not over-escaped.
-				`"Hello, World & O'Reilly\x21"`,
+				`"Hello, World & O'Reilly\u0021"`,
 				`"greeting=H%69,\u0026addressee=(World)"`,
 				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
 				`",foo/,"`,
@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
 				// Not JS escaped but HTML escaped.
 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
 				// Escape sequence not over-escaped.
-				`&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
+				`&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
 				`&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
 				`&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
 				`&#34;,foo/,&#34;`,
@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
 		{
 			`<script>alert("{{.}}")</script>`,
 			[]string{
-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
-				`a[href =~ \x22\/\/example.com\x22]#foo`,
-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
-				` dir=\x22ltr\x22`,
-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
+				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
+				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
+				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
+				` dir=\u0022ltr\u0022`,
+				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
 				// Escape sequence not over-escaped.
-				`Hello, World \x26 O\x27Reilly\x21`,
-				`greeting=H%69,\x26addressee=(World)`,
-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`Hello, World \u0026 O\u0027Reilly\u0021`,
+				`greeting=H%69,\u0026addressee=(World)`,
+				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
 				`,foo\/,`,
 			},
 		},
 		{
 			`<script type="text/javascript">alert("{{.}}")</script>`,
 			[]string{
-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
-				`a[href =~ \x22\/\/example.com\x22]#foo`,
-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
-				` dir=\x22ltr\x22`,
-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
+				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
+				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
+				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
+				` dir=\u0022ltr\u0022`,
+				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
 				// Escape sequence not over-escaped.
-				`Hello, World \x26 O\x27Reilly\x21`,
-				`greeting=H%69,\x26addressee=(World)`,
-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`Hello, World \u0026 O\u0027Reilly\u0021`,
+				`greeting=H%69,\u0026addressee=(World)`,
+				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
 				`,foo\/,`,
 			},
 		},
@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
 				// Not escaped.
 				`c && alert("Hello, World!");`,
 				// Escape sequence not over-escaped.
-				`"Hello, World & O'Reilly\x21"`,
+				`"Hello, World & O'Reilly\u0021"`,
 				`"greeting=H%69,\u0026addressee=(World)"`,
 				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
 				`",foo/,"`,
@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello, <b>World</b> &amp;tc!`,
 				` dir=&#34;ltr&#34;`,
 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
-				`Hello, World &amp; O&#39;Reilly\x21`,
+				`Hello, World &amp; O&#39;Reilly\u0021`,
 				`greeting=H%69,&amp;addressee=(World)`,
 				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
 				`,foo/,`,
@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
 		{
 			`<button onclick='alert("{{.}}")'>`,
 			[]string{
-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
-				`a[href =~ \x22\/\/example.com\x22]#foo`,
-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
-				` dir=\x22ltr\x22`,
-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
+				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
+				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
+				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
+				` dir=\u0022ltr\u0022`,
+				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
 				// Escape sequence not over-escaped.
-				`Hello, World \x26 O\x27Reilly\x21`,
-				`greeting=H%69,\x26addressee=(World)`,
-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`Hello, World \u0026 O\u0027Reilly\u0021`,
+				`greeting=H%69,\u0026addressee=(World)`,
+				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
 				`,foo\/,`,
 			},
 		},
@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
 				`%20dir%3d%22ltr%22`,
 				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
+				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
 				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
 				`greeting=H%69,&amp;addressee=%28World%29`,
 				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
 				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
 				`%20dir%3d%22ltr%22`,
 				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
+				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
 				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
 				`greeting=H%69,&addressee=%28World%29`,
 				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
 
@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
 		{
 			"jsStr",
 			"<button onclick='alert(&quot;{{.H}}&quot;)'>",
-			`<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
+			`<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
 		},
 		{
 			"badMarshaler",
@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
 		{
 			"jsRe",
 			`<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
-			`<button onclick='alert(/foo\x2bbar/.test(""))'>`,
+			`<button onclick='alert(/foo\u002bbar/.test(""))'>`,
 		},
 		{
 			"jsReBlank",
@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
 				"main":   `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
 				"helper": `{{11}} of {{"<100>"}}`,
 			},
-			`<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
+			`<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
 		},
 		// A non-recursive template that ends in a different context.
 		// helper starts in jsCtxRegexp and ends in jsCtxDivOp.
 
@@ -116,9 +116,9 @@ func Example_escape() {
 	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;[email protected]&gt;
 	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;[email protected]&gt;
 	// &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;[email protected]&gt;
-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
-	// \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
+	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
+	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
+	// \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
 	// %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
 
 }
 
@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
 	}
 	// TODO: detect cycles before calling Marshal which loops infinitely on
 	// cyclic data. This may be an unacceptable DoS risk.
-
 	b, err := json.Marshal(a)
 	if err != nil {
 		// Put a space before comment so that if it is flush against
@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
 	// TODO: maybe post-process output to prevent it from containing
 	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
 	// in case custom marshalers produce output containing those.
-
-	// TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
+	// Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
+	// supports ld+json content-type.
 	if len(b) == 0 {
 		// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
 		// not cause the output `x=y/*z`.
@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
 		r, w = utf8.DecodeRuneInString(s[i:])
 		var repl string
 		switch {
+		case int(r) < len(lowUnicodeReplacementTable):
+			repl = lowUnicodeReplacementTable[r]
 		case int(r) < len(replacementTable) && replacementTable[r] != "":
 			repl = replacementTable[r]
 		case r == '\u2028':
@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
 	return b.String()
 }
 
+var lowUnicodeReplacementTable = []string{
+	0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
+	'\a': `\u0007`,
+	'\b': `\u0008`,
+	'\t': `\t`,
+	'\n': `\n`,
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	0xe:  `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
+	0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
+	0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
+}
+
 var jsStrReplacementTable = []string{
-	0:    `\0`,
+	0:    `\u0000`,
 	'\t': `\t`,
 	'\n': `\n`,
-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
 	'\f': `\f`,
 	'\r': `\r`,
 	// Encode HTML specials as hex so the output can be embedded
 	// in HTML attributes without further encoding.
-	'"':  `\x22`,
-	'&':  `\x26`,
-	'\'': `\x27`,
-	'+':  `\x2b`,
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
 	'/':  `\/`,
-	'<':  `\x3c`,
-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
 	'\\': `\\`,
 }
 
 // jsStrNormReplacementTable is like jsStrReplacementTable but does not
 // overencode existing escapes since this table has no entry for `\`.
 var jsStrNormReplacementTable = []string{
-	0:    `\0`,
+	0:    `\u0000`,
 	'\t': `\t`,
 	'\n': `\n`,
-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
 	'\f': `\f`,
 	'\r': `\r`,
 	// Encode HTML specials as hex so the output can be embedded
 	// in HTML attributes without further encoding.
-	'"':  `\x22`,
-	'&':  `\x26`,
-	'\'': `\x27`,
-	'+':  `\x2b`,
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
 	'/':  `\/`,
-	'<':  `\x3c`,
-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
 }
-
 var jsRegexpReplacementTable = []string{
-	0:    `\0`,
+	0:    `\u0000`,
 	'\t': `\t`,
 	'\n': `\n`,
-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
 	'\f': `\f`,
 	'\r': `\r`,
 	// Encode HTML specials as hex so the output can be embedded
 	// in HTML attributes without further encoding.
-	'"':  `\x22`,
+	'"':  `\u0022`,
 	'$':  `\$`,
-	'&':  `\x26`,
-	'\'': `\x27`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
 	'(':  `\(`,
 	')':  `\)`,
 	'*':  `\*`,
-	'+':  `\x2b`,
+	'+':  `\u002b`,
 	'-':  `\-`,
 	'.':  `\.`,
 	'/':  `\/`,
-	'<':  `\x3c`,
-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
 	'?':  `\?`,
 	'[':  `\[`,
 	'\\': `\\`,