Closed
Description
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing, which could result in content following the tag being placed in the wrong scope during DOM construction.
For example a tag of the form <p a=/>
is interpreted by the tokenizer as self closing, resulting in incorrectly emitting <p a="/"/>
. This is due to how we check is a tag is self-closing.
This is a PRIVATE issue for CVE-2025-22872, tracked in http://b/404570217.
/cc @golang/security and @golang/release