@ttsc/linux-x64 0.14.0-dev.20260529.2 → 0.14.0

package/bin/go/src/crypto/x509/constraints.go

@@ -58,11 +58,11 @@ import (
 // of nameConstraintsSet, to handle constraints which define full email
 // addresses (i.e. 'test@example.com'). For bare domain constraints, we use the
 // dnsConstraints type described above, querying the domain portion of the email
-// address. For full email addresses, we also hold a map of email addresses that
-// map the local portion of the email to the domain. When querying full email
-// addresses we then check if the local portion of the email is present in the
-// map, and if so case insensitively compare the domain portion of the
-// email.
+// address. For full email addresses, we also hold a map of email addresses with
+// the domain portion of the email lowercased, since it is case insensitive. When
+// looking up an email address in the constraint set, we first check the full
+// email address map, and if we don't find anything, we check the domain portion
+// of the email address against the dnsConstraints.
 
 type nameConstraintsSet[T *net.IPNet | string, V net.IP | string] struct {
 	set []T
@@ -351,6 +351,7 @@ func newDNSConstraints(l []string, permitted bool) interface{ query(string) (str
 	if !permitted {
 		parentConstraints := map[string]string{}
 		for _, name := range nc.constraints.set {
+			name = strings.ToLower(name)
 			trimmedName := trimFirstLabel(name)
 			if trimmedName == "" {
 				continue
@@ -375,7 +376,8 @@ func (dnc *dnsConstraints) query(s string) (string, bool) {
 		return constraint, true
 	}
 
-	if !dnc.permitted && s[0] == '*' {
+	if !dnc.permitted && len(s) > 0 && s[0] == '*' {
+		s = strings.ToLower(s)
 		trimmed := trimFirstLabel(s)
 		if constraint, found := dnc.parentConstraints[trimmed]; found {
 			return constraint, true
@@ -387,16 +389,22 @@ func (dnc *dnsConstraints) query(s string) (string, bool) {
 type emailConstraints struct {
 	dnsConstraints interface{ query(string) (string, bool) }
 
-	fullEmails map[string]string
+	// fullEmails is map of rfc2821Mailboxs that are fully specified in the
+	// constraints, which we need to check for separately since they don't
+	// follow the same matching rules as the domain-based constraints. The
+	// domain portion of the rfc2821Mailbox has been lowercased, since the
+	// domain portion is case insensitive. When checking the map for an email,
+	// the domain portion of the query should also be lowercased.
+	fullEmails map[rfc2821Mailbox]struct{}
 }
 
 func newEmailConstraints(l []string, permitted bool) interface {
-	query(parsedEmail) (string, bool)
+	query(rfc2821Mailbox) (string, bool)
 } {
 	if len(l) == 0 {
 		return nil
 	}
-	exactMap := map[string]string{}
+	exactMap := map[rfc2821Mailbox]struct{}{}
 	var domains []string
 	for _, c := range l {
 		if !strings.ContainsRune(c, '@') {
@@ -411,7 +419,8 @@ func newEmailConstraints(l []string, permitted bool) interface {
 			// certificate since parsing.
 			continue
 		}
-		exactMap[parsed.local] = parsed.domain
+		parsed.domain = strings.ToLower(parsed.domain)
+		exactMap[parsed] = struct{}{}
 	}
 	ec := &emailConstraints{
 		fullEmails: exactMap,
@@ -422,16 +431,16 @@ func newEmailConstraints(l []string, permitted bool) interface {
 	return ec
 }
 
-func (ec *emailConstraints) query(s parsedEmail) (string, bool) {
-	if len(ec.fullEmails) > 0 && strings.ContainsRune(s.email, '@') {
-		if domain, ok := ec.fullEmails[s.mailbox.local]; ok && strings.EqualFold(domain, s.mailbox.domain) {
-			return ec.fullEmails[s.email] + "@" + s.mailbox.domain, true
+func (ec *emailConstraints) query(s rfc2821Mailbox) (string, bool) {
+	if len(ec.fullEmails) > 0 {
+		if _, ok := ec.fullEmails[s]; ok {
+			return fmt.Sprintf("%s@%s", s.local, s.domain), true
 		}
 	}
 	if ec.dnsConstraints == nil {
 		return "", false
 	}
-	constraint, found := ec.dnsConstraints.query(s.mailbox.domain)
+	constraint, found := ec.dnsConstraints.query(s.domain)
 	return constraint, found
 }
 
@@ -441,7 +450,7 @@ type constraints[T any, V any] struct {
 	excluded       interface{ query(V) (T, bool) }
 }
 
-func checkConstraints[T string | *net.IPNet, V any, P string | net.IP | parsedURI | parsedEmail](c constraints[T, V], s V, p P) error {
+func checkConstraints[T string | *net.IPNet, V any, P string | net.IP | parsedURI | rfc2821Mailbox](c constraints[T, V], s V, p P) error {
 	if c.permitted != nil {
 		if _, found := c.permitted.query(s); !found {
 			return fmt.Errorf("%s %q is not permitted by any constraint", c.constraintType, p)
@@ -459,13 +468,13 @@ type chainConstraints struct {
 	ip    constraints[*net.IPNet, net.IP]
 	dns   constraints[string, string]
 	uri   constraints[string, string]
-	email constraints[string, parsedEmail]
+	email constraints[string, rfc2821Mailbox]
 
 	index int
 	next  *chainConstraints
 }
 
-func (cc *chainConstraints) check(dns []string, uris []parsedURI, emails []parsedEmail, ips []net.IP) error {
+func (cc *chainConstraints) check(dns []string, uris []parsedURI, emails []rfc2821Mailbox, ips []net.IP) error {
 	for _, ip := range ips {
 		if err := checkConstraints(cc.ip, ip, ip); err != nil {
 			return err
@@ -488,8 +497,8 @@ func (cc *chainConstraints) check(dns []string, uris []parsedURI, emails []parse
 		}
 	}
 	for _, e := range emails {
-		if !domainNameValid(e.mailbox.domain, false) {
-			return fmt.Errorf("x509: cannot parse rfc822Name %q", e.mailbox)
+		if !domainNameValid(e.domain, false) {
+			return fmt.Errorf("x509: cannot parse rfc822Name %q", e)
 		}
 		if err := checkConstraints(cc.email, e, e); err != nil {
 			return err
@@ -509,7 +518,7 @@ func checkChainConstraints(chain []*Certificate) error {
 			ip:    constraints[*net.IPNet, net.IP]{"IP address", newIPNetConstraints(c.PermittedIPRanges), newIPNetConstraints(c.ExcludedIPRanges)},
 			dns:   constraints[string, string]{"DNS name", newDNSConstraints(c.PermittedDNSDomains, true), newDNSConstraints(c.ExcludedDNSDomains, false)},
 			uri:   constraints[string, string]{"URI", newDNSConstraints(c.PermittedURIDomains, true), newDNSConstraints(c.ExcludedURIDomains, false)},
-			email: constraints[string, parsedEmail]{"email address", newEmailConstraints(c.PermittedEmailAddresses, true), newEmailConstraints(c.ExcludedEmailAddresses, false)},
+			email: constraints[string, rfc2821Mailbox]{"email address", newEmailConstraints(c.PermittedEmailAddresses, true), newEmailConstraints(c.ExcludedEmailAddresses, false)},
 			index: i,
 		}
 		if currentConstraints == nil {
@@ -592,24 +601,15 @@ func parseURIs(uris []*url.URL) ([]parsedURI, error) {
 	return parsed, nil
 }
 
-type parsedEmail struct {
-	email   string
-	mailbox *rfc2821Mailbox
-}
-
-func (e parsedEmail) String() string {
-	return e.mailbox.local + "@" + e.mailbox.domain
-}
-
-func parseMailboxes(emails []string) ([]parsedEmail, error) {
-	parsed := make([]parsedEmail, 0, len(emails))
+func parseMailboxes(emails []string) ([]rfc2821Mailbox, error) {
+	parsed := make([]rfc2821Mailbox, 0, len(emails))
 	for _, email := range emails {
 		mailbox, ok := parseRFC2821Mailbox(email)
 		if !ok {
 			return nil, fmt.Errorf("cannot parse rfc822Name %q", email)
 		}
 		mailbox.domain = strings.ToLower(mailbox.domain)
-		parsed = append(parsed, parsedEmail{strings.ToLower(email), &mailbox})
+		parsed = append(parsed, mailbox)
 	}
 	return parsed, nil
 }

package/bin/go/src/crypto/x509/verify.go

@@ -253,6 +253,10 @@ type rfc2821Mailbox struct {
 	local, domain string
 }
 
+func (s rfc2821Mailbox) String() string {
+	return fmt.Sprintf("%s@%s", s.local, s.domain)
+}
+
 // parseRFC2821Mailbox parses an email address into local and domain parts,
 // based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280,
 // Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The
@@ -716,6 +720,8 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool {
 // for failed checks due to different intermediates having the same Subject.
 const maxChainSignatureChecks = 100
 
+var errSignatureLimit = errors.New("x509: signature check attempts limit reached while verifying certificate chain")
+
 func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) {
 	var (
 		hintErr  error
@@ -723,16 +729,16 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o
 	)
 
 	considerCandidate := func(certType int, candidate potentialParent) {
-		if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) {
-			return
-		}
-
 		if sigChecks == nil {
 			sigChecks = new(int)
 		}
 		*sigChecks++
 		if *sigChecks > maxChainSignatureChecks {
-			err = errors.New("x509: signature check attempts limit reached while verifying certificate chain")
+			err = errSignatureLimit
+			return
+		}
+
+		if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) {
 			return
 		}
 
@@ -773,11 +779,20 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o
 		}
 	}
 
-	for _, root := range opts.Roots.findPotentialParents(c) {
-		considerCandidate(rootCertificate, root)
-	}
-	for _, intermediate := range opts.Intermediates.findPotentialParents(c) {
-		considerCandidate(intermediateCertificate, intermediate)
+candidateLoop:
+	for _, parents := range []struct {
+		certType   int
+		potentials []potentialParent
+	}{
+		{rootCertificate, opts.Roots.findPotentialParents(c)},
+		{intermediateCertificate, opts.Intermediates.findPotentialParents(c)},
+	} {
+		for _, parent := range parents.potentials {
+			considerCandidate(parents.certType, parent)
+			if err == errSignatureLimit {
+				break candidateLoop
+			}
+		}
 	}
 
 	if len(chains) > 0 {
@@ -1280,12 +1295,12 @@ func policiesValid(chain []*Certificate, opts VerifyOptions) bool {
 						} else {
 							// 6.1.4 (b) (3) (i) -- as updated by RFC 9618
 							pg.deleteLeaf(mapping.IssuerDomainPolicy)
-
-							// 6.1.4 (b) (3) (ii) -- as updated by RFC 9618
-							pg.prune()
 						}
 					}
 
+					// 6.1.4 (b) (3) (ii) -- as updated by RFC 9618
+					pg.prune()
+
 					for issuerStr, subjectPolicies := range mappings {
 						// 6.1.4 (b) (1) -- as updated by RFC 9618
 						if matching := pg.leafWithPolicy(OID{der: []byte(issuerStr)}); matching != nil {

package/bin/go/src/go/types/builtins.go

@@ -115,7 +115,7 @@ func (check *Checker) builtin(x *operand, call *ast.CallExpr, id builtinId) (_ b
 				for _, u := range typeset(y.typ) {
 					if s, _ := u.(*Slice); s != nil && Identical(s.elem, universeByte) {
 						// typeset ⊇ {[]byte}
-					} else if isString(u) {
+					} else if u != nil && isString(u) {
 						// typeset ⊇ {string}
 						hasString = true
 					} else {
@@ -378,7 +378,7 @@ func (check *Checker) builtin(x *operand, call *ast.CallExpr, id builtinId) (_ b
 			for _, u := range typeset(y.typ) {
 				if s, _ := u.(*Slice); s != nil && Identical(s.elem, universeByte) {
 					// typeset ⊇ {[]byte}
-				} else if isString(u) {
+				} else if u != nil && isString(u) {
 					// typeset ⊇ {string}
 				} else {
 					special = false

package/bin/go/src/go/types/signature.go

@@ -74,6 +74,9 @@ func NewSignatureType(recv *Var, recvTypeParams, typeParams []*TypeParam, params
 		last := params.At(n - 1).typ
 		var S *Slice
 		for t := range typeset(last) {
+			if t == nil {
+				break
+			}
 			var s *Slice
 			if isString(t) {
 				s = NewSlice(universeByte)

package/bin/go/src/go/types/under.go

@@ -29,12 +29,12 @@ func all(t Type, f func(t, u Type) bool) bool {
 // typeset is an iterator over the (type/underlying type) pairs of the
 // specific type terms of the type set implied by t.
 // If t is a type parameter, the implied type set is the type set of t's constraint.
-// In that case, if there are no specific terms, typeset calls yield with (nil, nil).
+// In this case, if there are no specific terms, the iterator produces (nil, nil).
 // If t is not a type parameter, the implied type set consists of just t.
-// In any case, typeset is guaranteed to call yield at least once.
+// In any case, typeset is guaranteed to produce at least one set of results.
 func typeset(t Type) iter.Seq2[Type, Type] {
 	return func(yield func(t, u Type) bool) {
-		_ = all(t, yield)
+		all(t, yield)
 	}
 }
 

package/bin/go/src/go.mod

@@ -4,7 +4,7 @@ go 1.26
 
 require (
 	golang.org/x/crypto v0.46.1-0.20251210140736-7dacc380ba00
-	golang.org/x/net v0.47.1-0.20251128220604-7c360367ab7e
+	golang.org/x/net v0.47.1-0.20260417193450-705de46f8788
 )
 
 require (

package/bin/go/src/go.sum

@@ -1,7 +1,7 @@
 golang.org/x/crypto v0.46.1-0.20251210140736-7dacc380ba00 h1:JgcPM1rzpSOZS8y69FQvnY0xN0ciHlpQqwTXJcuZIA4=
 golang.org/x/crypto v0.46.1-0.20251210140736-7dacc380ba00/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
-golang.org/x/net v0.47.1-0.20251128220604-7c360367ab7e h1:PAAT9cIDvIAIRQVz2txQvUFRt3jOlhiO84ihd8XMGlg=
-golang.org/x/net v0.47.1-0.20251128220604-7c360367ab7e/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.47.1-0.20260417193450-705de46f8788 h1:fVWwoa/P68Bsajqy2FO4dha7TRBfgf09o932L4USeXI=
+golang.org/x/net v0.47.1-0.20260417193450-705de46f8788/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
 golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=

package/bin/go/src/html/template/attr_string.go

@@ -14,11 +14,12 @@ func _() {
 	_ = x[attrStyle-3]
 	_ = x[attrURL-4]
 	_ = x[attrSrcset-5]
+	_ = x[attrMetaContent-6]
 }
 
-const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcset"
+const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcsetattrMetaContent"
 
-var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58}
+var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58, 73}
 
 func (i attr) String() string {
 	if i >= attr(len(_attr_index)-1) {

package/bin/go/src/html/template/context.go

@@ -6,6 +6,7 @@ package template
 
 import (
 	"fmt"
+	"slices"
 	"text/template/parse"
 )
 
@@ -37,7 +38,7 @@ func (c context) String() string {
 	if c.err != nil {
 		err = c.err
 	}
-	return fmt.Sprintf("{%v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.attr, c.element, err)
+	return fmt.Sprintf("{%v %v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.jsBraceDepth, c.attr, c.element, err)
 }
 
 // eq reports whether two contexts are equal.
@@ -46,6 +47,7 @@ func (c context) eq(d context) bool {
 		c.delim == d.delim &&
 		c.urlPart == d.urlPart &&
 		c.jsCtx == d.jsCtx &&
+		slices.Equal(c.jsBraceDepth, d.jsBraceDepth) &&
 		c.attr == d.attr &&
 		c.element == d.element &&
 		c.err == d.err
@@ -68,6 +70,9 @@ func (c context) mangle(templateName string) string {
 	if c.jsCtx != jsCtxRegexp {
 		s += "_" + c.jsCtx.String()
 	}
+	if c.jsBraceDepth != nil {
+		s += fmt.Sprintf("_jsBraceDepth(%v)", c.jsBraceDepth)
+	}
 	if c.attr != attrNone {
 		s += "_" + c.attr.String()
 	}
@@ -77,6 +82,13 @@ func (c context) mangle(templateName string) string {
 	return s
 }
 
+// clone returns a copy of c with the same field values.
+func (c context) clone() context {
+	clone := c
+	clone.jsBraceDepth = slices.Clone(c.jsBraceDepth)
+	return clone
+}
+
 // state describes a high-level HTML parser state.
 //
 // It bounds the top of the element stack, and by extension the HTML insertion
@@ -156,6 +168,10 @@ const (
 	// stateError is an infectious error state outside any valid
 	// HTML/CSS/JS construct.
 	stateError
+	// stateMetaContent occurs inside a HTML meta element content attribute.
+	stateMetaContent
+	// stateMetaContentURL occurs inside a "url=" tag in a HTML meta element content attribute.
+	stateMetaContentURL
 	// stateDead marks unreachable code after a {{break}} or {{continue}}.
 	stateDead
 )
@@ -267,6 +283,8 @@ const (
 	elementTextarea
 	// elementTitle corresponds to the RCDATA <title> element.
 	elementTitle
+	// elementMeta corresponds to the HTML <meta> element.
+	elementMeta
 )
 
 //go:generate stringer -type attr
@@ -288,4 +306,6 @@ const (
 	attrURL
 	// attrSrcset corresponds to a srcset attribute.
 	attrSrcset
+	// attrMetaContent corresponds to the content attribute in meta HTML element.
+	attrMetaContent
 )

package/bin/go/src/html/template/element_string.go

@@ -13,11 +13,12 @@ func _() {
 	_ = x[elementStyle-2]
 	_ = x[elementTextarea-3]
 	_ = x[elementTitle-4]
+	_ = x[elementMeta-5]
 }
 
-const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle"
+const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta"
 
-var _element_index = [...]uint8{0, 11, 24, 36, 51, 63}
+var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74}
 
 func (i element) String() string {
 	if i >= element(len(_element_index)-1) {

package/bin/go/src/html/template/escape.go

@@ -166,6 +166,8 @@ func (e *escaper) escape(c context, n parse.Node) context {
 
 var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp")
 
+var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape")
+
 // escapeAction escapes an action template node.
 func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
 	if len(n.Pipe.Decl) != 0 {
@@ -223,6 +225,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
 		default:
 			panic(c.urlPart.String())
 		}
+	case stateMetaContent:
+		// Handled below in delim check.
+	case stateMetaContentURL:
+		if htmlmetacontenturlescape.Value() != "0" {
+			s = append(s, "_html_template_urlfilter")
+		} else {
+			// We don't have a great place to increment this, since it's hard to
+			// know if we actually escape any urls in _html_template_urlfilter,
+			// since it has no information about what context it is being
+			// executed in etc. This is probably the best we can do.
+			htmlmetacontenturlescape.IncNonDefault()
+		}
 	case stateJS:
 		s = append(s, "_html_template_jsvalescaper")
 		// A slash after a value starts a div operator.
@@ -509,7 +523,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
 	if nodeName == "range" {
 		e.rangeContext = &rangeContext{outer: e.rangeContext}
 	}
-	c0 := e.escapeList(c, n.List)
+	c0 := e.escapeList(c.clone(), n.List)
 	if nodeName == "range" {
 		if c0.state != stateError {
 			c0 = joinRange(c0, e.rangeContext)
@@ -540,7 +554,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
 			return c0
 		}
 	}
-	c1 := e.escapeList(c, n.ElseList)
+	c1 := e.escapeList(c.clone(), n.ElseList)
 	return join(c0, c1, n, nodeName)
 }
 

package/bin/go/src/html/template/js.go

@@ -462,6 +462,7 @@ func isJSType(mimeType string) bool {
 	mimeType = strings.TrimSpace(mimeType)
 	switch mimeType {
 	case
+		"",
 		"application/ecmascript",
 		"application/javascript",
 		"application/json",

package/bin/go/src/html/template/state_string.go

@@ -36,12 +36,14 @@ func _() {
 	_ = x[stateCSSBlockCmt-25]
 	_ = x[stateCSSLineCmt-26]
 	_ = x[stateError-27]
-	_ = x[stateDead-28]
+	_ = x[stateMetaContent-28]
+	_ = x[stateMetaContentURL-29]
+	_ = x[stateDead-30]
 }
 
-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateMetaContentstateMetaContentURLstateDead"
 
-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 356}
+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 363, 382, 391}
 
 func (i state) String() string {
 	if i >= state(len(_state_index)-1) {

package/bin/go/src/html/template/transition.go

@@ -23,6 +23,8 @@ var transitionFunc = [...]func(context, []byte) (context, int){
 	stateRCDATA:         tSpecialTagEnd,
 	stateAttr:           tAttr,
 	stateURL:            tURL,
+	stateMetaContent:    tMetaContent,
+	stateMetaContentURL: tMetaContentURL,
 	stateSrcset:         tURL,
 	stateJS:             tJS,
 	stateJSDqStr:        tJSDelimited,
@@ -83,6 +85,7 @@ var elementContentType = [...]state{
 	elementStyle:    stateCSS,
 	elementTextarea: stateRCDATA,
 	elementTitle:    stateRCDATA,
+	elementMeta:     stateText,
 }
 
 // tTag is the context transition function for the tag state.
@@ -93,6 +96,11 @@ func tTag(c context, s []byte) (context, int) {
 		return c, len(s)
 	}
 	if s[i] == '>' {
+		// Treat <meta> specially, because it doesn't have an end tag, and we
+		// want to transition into the correct state/element for it.
+		if c.element == elementMeta {
+			return context{state: stateText, element: elementNone}, i + 1
+		}
 		return context{
 			state:   elementContentType[c.element],
 			element: c.element,
@@ -113,6 +121,8 @@ func tTag(c context, s []byte) (context, int) {
 	attrName := strings.ToLower(string(s[i:j]))
 	if c.element == elementScript && attrName == "type" {
 		attr = attrScriptType
+	} else if c.element == elementMeta && attrName == "content" {
+		attr = attrMetaContent
 	} else {
 		switch attrType(attrName) {
 		case contentTypeURL:
@@ -162,12 +172,13 @@ func tAfterName(c context, s []byte) (context, int) {
 }
 
 var attrStartStates = [...]state{
-	attrNone:       stateAttr,
-	attrScript:     stateJS,
-	attrScriptType: stateAttr,
-	attrStyle:      stateCSS,
-	attrURL:        stateURL,
-	attrSrcset:     stateSrcset,
+	attrNone:        stateAttr,
+	attrScript:      stateJS,
+	attrScriptType:  stateAttr,
+	attrStyle:       stateCSS,
+	attrURL:         stateURL,
+	attrSrcset:      stateSrcset,
+	attrMetaContent: stateMetaContent,
 }
 
 // tBeforeValue is the context transition function for stateBeforeValue.
@@ -203,6 +214,7 @@ var specialTagEndMarkers = [...][]byte{
 	elementStyle:    []byte("style"),
 	elementTextarea: []byte("textarea"),
 	elementTitle:    []byte("title"),
+	elementMeta:     []byte(""),
 }
 
 var (
@@ -612,6 +624,30 @@ func tError(c context, s []byte) (context, int) {
 	return c, len(s)
 }
 
+// tMetaContent is the context transition function for the meta content attribute state.
+func tMetaContent(c context, s []byte) (context, int) {
+	for i := range len(s) {
+		if i+3 <= len(s)-1 && bytes.EqualFold(s[i:i+3], []byte("url")) {
+			if j := eatWhiteSpace(s, i+3); j < len(s) && s[j] == '=' {
+				c.state = stateMetaContentURL
+				return c, j + 1
+			}
+		}
+	}
+	return c, len(s)
+}
+
+// tMetaContentURL is the context transition function for the "url=" part of a meta content attribute state.
+func tMetaContentURL(c context, s []byte) (context, int) {
+	for i := range len(s) {
+		if s[i] == ';' {
+			c.state = stateMetaContent
+			return c, i + 1
+		}
+	}
+	return c, len(s)
+}
+
 // eatAttrName returns the largest j such that s[i:j] is an attribute name.
 // It returns an error if s[i:] does not look like it begins with an
 // attribute name, such as encountering a quote mark without a preceding
@@ -638,6 +674,7 @@ var elementNameMap = map[string]element{
 	"style":    elementStyle,
 	"textarea": elementTextarea,
 	"title":    elementTitle,
+	"meta":     elementMeta,
 }
 
 // asciiAlpha reports whether c is an ASCII letter.

package/bin/go/src/internal/buildcfg/zbootstrap.go

@@ -4,7 +4,7 @@ package buildcfg
 
 import "runtime"
 
-const DefaultGO386 = `softfloat`
+const DefaultGO386 = `sse2`
 const DefaultGOAMD64 = `v1`
 const DefaultGOARM = `7`
 const DefaultGOARM64 = `v8.0`
@@ -15,7 +15,7 @@ const DefaultGORISCV64 = `rva20u64`
 const defaultGOEXPERIMENT = ``
 const defaultGO_EXTLINK_ENABLED = ``
 const defaultGO_LDSO = ``
-const version = `go1.26.0`
+const version = `go1.26.3`
 const defaultGOOS = runtime.GOOS
 const defaultGOARCH = runtime.GOARCH
 const DefaultGOFIPS140 = `off`

package/bin/go/src/internal/godebugs/table.go

@@ -40,6 +40,7 @@ var All = []Info{
 	{Name: "gocacheverify", Package: "cmd/go"},
 	{Name: "gotestjsonbuildtext", Package: "cmd/go", Changed: 24, Old: "1"},
 	{Name: "gotypesalias", Package: "go/types", Changed: 23, Old: "0"},
+	{Name: "htmlmetacontenturlescape", Package: "html/template"},
 	{Name: "http2client", Package: "net/http"},
 	{Name: "http2debug", Package: "net/http", Opaque: true},
 	{Name: "http2server", Package: "net/http"},