# Go Daily Digest — 2026-04-30

13 commits merged to master. Security-heavy day with 3 CVEs fixed.

## Security Fixes

### html/template: fix escaping of URLs in meta content attributes
- **CVE:** CVE-2026-39823
- **Issue:** [#78913](https://github.com/golang/go/issues/78913)
- **Author:** Neal Patel
- **Reviewed by:** Roland Shoemaker
- **What:** Bypass of CVE-2026-27142 fix. WHATWG shared declarative refresh steps algorithm skips ASCII whitespace between `url` and `=` in meta content; escaper didn't account for that.
- **Impact:** XSS via meta refresh redirect templates. Update if using html/template with meta redirects.

### html/template: fix escaper bypass via empty script type
- **CVE:** CVE-2026-39826
- **Issue:** [#78981](https://github.com/golang/go/issues/78981)
- **Author:** Neal Patel
- **Reviewed by:** Roland Shoemaker
- **What:** `<script type="">`, `<script type=" ">`, and `<script type="\t">` execute as JavaScript per spec, but escaper treated them as non-JS.
- **Impact:** XSS vector. Browser quirks continue to be security bugs.

### net/mail: fix quadratic consumePhrase behavior
- **CVE:** CVE-2026-42499
- **Issue:** [#78987](https://github.com/golang/go/issues/78987)
- **Author:** Neal Patel
- **Reviewed by:** Nicholas Husin
- **What:** O(n²) string concatenation in email address parsing.
- **Impact:** CPU exhaustion on untrusted email headers.

## Tooling

### cmd/go: set a HTTP user agent
- **Author:** Sean Liao
- **Issue:** [#78891](https://github.com/golang/go/issues/78891), Updates [#35699](https://github.com/golang/go/issues/35699)
- **What:** cmd/go now sends a fixed user-agent string. Original proposal declined for privacy (no version info), but static identifier useful for module proxies/CDNs.

### cmd/go: add go1.24 requirement when running go get with tools
- **Author:** Olivier Mengué
- **Issue:** Fixes [#74739](https://github.com/golang/go/issues/74739)
- **What:** Tool directives enforce minimum go1.24 in go.mod. Prevents confusing failures with older toolchains.

### cmd/go: loosen go work sync version requirements
- **Author:** Michael Matloob
- **Issue:** Fixes [#65363](https://github.com/golang/go/issues/65363)
- **What:** Workspace replace directives could hide requirements causing conflicts during sync. Requirements are now additive; errors surfaced properly instead of silently dropped.

## Compiler & Linker

### cmd/compile, go/types: disable constant string size check
- **Author:** Cherry Mui
- **Issue:** Updates [#78346](https://github.com/golang/go/issues/78346)
- **What:** Recently-added string constant size check eagerly constructed strings via constant.StringVal, causing massive memory usage with exponential doubling patterns. Rolled back pending lazy-length API.
- **Lesson:** Performance-sensitive checks need lazy evaluation.

### cmd/link: make -f flag actually ignore version mismatch
- **Author:** Cherry Mui
- **What:** The -f flag was documented as "ignore version mismatch" but didn't. Now it does.

## Crypto

### crypto/fips140: add package docs
- **Author:** Filippo Valsorda
- **Issue:** Fixes [#77879](https://github.com/golang/go/issues/77879)
- **What:** FIPS 140 package now has proper documentation.

### crypto/sha3: ensure unwrapped *sha3.Digest are usable
- **Author:** Neal Patel
- **Issue:** Updates [#75154](https://github.com/golang/go/issues/75154)

### crypto/mlkem: enrich DecapsulationKey768|1024 doc comments
- **Author:** Neal Patel
- **What:** Better docs for post-quantum ML-KEM decapsulation key types.

## Documentation

### os/signal: add Notify windows documentation
- **Author:** Alex Brainman
- **Issue:** Updates [#77076](https://github.com/golang/go/issues/77076)
- **What:** Clarifies that only os.Interrupt is supported on Windows.

### encoding/json/jsontext: add TODO about removing Internal symbol
- **Author:** Joe Tsai
- **Issue:** Updates [#73435](https://github.com/golang/go/issues/73435)
- **What:** Internal symbol is a hack for module-only visibility. TODO to replace with type aliases when pkgsite supports forwarded symbol docs.

## Patterns to Extract

- **Browser quirk security:** Any HTML spec edge case (whitespace handling, empty attributes) that browsers implement literally is a potential escaper bypass. The html/template package keeps getting hit by these.
- **Lazy evaluation for safety checks:** When adding correctness checks to compilers, the check itself must not trigger the expensive operation it's guarding against (see constant string size check OOM).
- **"Works as documented" audit:** The linker -f flag bug shows value in periodically verifying that documented behavior actually works. Fuzz the docs, not just the code.