From 1adf8263024e2a21c421e6b4bc4273612d87d78a Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Sun, 14 Jul 2024 17:56:38 -0400
Subject: [PATCH] encoding/xml: reject processing instructions with reserved
 names

This is required by the spec.

Fixes: #68499
---
 src/encoding/xml/xml.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
index 0fe323f7c86..bb79a60a186 100644
--- a/src/encoding/xml/xml.go
+++ b/src/encoding/xml/xml.go
@@ -610,6 +610,11 @@ func (d *Decoder) rawToken() (Token, error) {
 			}
 			return nil, d.err
 		}
+		if len(target) >= 3 && target[0:3] != xmlPrefix &&
+		   (target[0] | 0x20) == 'x' && (target[1] | 0x20) == 'm' && (target[2] | 0x20) == 'l' {
+			d.err = d.syntaxError("Processing instruction name is reserved")
+			return nil, d.err
+		}
 		d.space()
 		d.buf.Reset()
 		var b0 byte