go-patterns/changelog/2026-04-30.md

Go Daily Digest — 2026-04-30

13 commits merged to master. Security-heavy day with 3 CVEs fixed.

Security Fixes

html/template: fix escaping of URLs in meta content attributes

• CVE: CVE-2026-39823
• Issue: #78913
• Author: Neal Patel
• Reviewed by: Roland Shoemaker
• What: Bypass of CVE-2026-27142 fix. WHATWG shared declarative refresh steps algorithm skips ASCII whitespace between url and = in meta content; escaper didn't account for that.
• Impact: XSS via meta refresh redirect templates. Update if using html/template with meta redirects.

html/template: fix escaper bypass via empty script type

• CVE: CVE-2026-39826
• Issue: #78981
• Author: Neal Patel
• Reviewed by: Roland Shoemaker
• What: <script type="">, <script type=" ">, and <script type="\t"> execute as JavaScript per spec, but escaper treated them as non-JS.
• Impact: XSS vector. Browser quirks continue to be security bugs.

net/mail: fix quadratic consumePhrase behavior

• CVE: CVE-2026-42499
• Issue: #78987
• Author: Neal Patel
• Reviewed by: Nicholas Husin
• What: O(n²) string concatenation in email address parsing.
• Impact: CPU exhaustion on untrusted email headers.

Tooling

cmd/go: set a HTTP user agent

• Author: Sean Liao
• Issue: #78891, Updates #35699
• What: cmd/go now sends a fixed user-agent string. Original proposal declined for privacy (no version info), but static identifier useful for module proxies/CDNs.

cmd/go: add go1.24 requirement when running go get with tools

• Author: Olivier Mengué
• Issue: Fixes #74739
• What: Tool directives enforce minimum go1.24 in go.mod. Prevents confusing failures with older toolchains.

cmd/go: loosen go work sync version requirements

• Author: Michael Matloob
• Issue: Fixes #65363
• What: Workspace replace directives could hide requirements causing conflicts during sync. Requirements are now additive; errors surfaced properly instead of silently dropped.

Compiler & Linker

cmd/compile, go/types: disable constant string size check

• Author: Cherry Mui
• Issue: Updates #78346
• What: Recently-added string constant size check eagerly constructed strings via constant.StringVal, causing massive memory usage with exponential doubling patterns. Rolled back pending lazy-length API.
• Lesson: Performance-sensitive checks need lazy evaluation.

cmd/link: make -f flag actually ignore version mismatch

• Author: Cherry Mui
• What: The -f flag was documented as "ignore version mismatch" but didn't. Now it does.

Crypto

crypto/fips140: add package docs

• Author: Filippo Valsorda
• Issue: Fixes #77879
• What: FIPS 140 package now has proper documentation.

crypto/sha3: ensure unwrapped *sha3.Digest are usable

• Author: Neal Patel
• Issue: Updates #75154

crypto/mlkem: enrich DecapsulationKey768|1024 doc comments

• Author: Neal Patel
• What: Better docs for post-quantum ML-KEM decapsulation key types.

Documentation

os/signal: add Notify windows documentation

• Author: Alex Brainman
• Issue: Updates #77076
• What: Clarifies that only os.Interrupt is supported on Windows.

encoding/json/jsontext: add TODO about removing Internal symbol

• Author: Joe Tsai
• Issue: Updates #73435
• What: Internal symbol is a hack for module-only visibility. TODO to replace with type aliases when pkgsite supports forwarded symbol docs.

Patterns to Extract

• Browser quirk security: Any HTML spec edge case (whitespace handling, empty attributes) that browsers implement literally is a potential escaper bypass. The html/template package keeps getting hit by these.
• Lazy evaluation for safety checks: When adding correctness checks to compilers, the check itself must not trigger the expensive operation it's guarding against (see constant string size check OOM).
• "Works as documented" audit: The linker -f flag bug shows value in periodically verifying that documented behavior actually works. Fuzz the docs, not just the code.