html/template: ignore case when handling type attribute in script element

Convert the parsed attribute name to lowercase before checking its value in
the HTML parser state machine. This ensures that the type attribute in
the script element is handled in a case-sensitive manner, just like all
other attribute names.

Fixes #19965

Change-Id: I806d8c62aada2c3b5b4328aff75f217ea60cb339
Reviewed-on: https://go-review.googlesource.com/40650
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

src/html/template/attr.go

@@ -135,9 +135,8 @@ var attrTypeMap = map[string]contentType{
 }
 
 // attrType returns a conservative (upper-bound on authority) guess at the
-// type of the named attribute.
+// type of the lowercase named attribute.
 func attrType(name string) contentType {
-	name = strings.ToLower(name)
 	if strings.HasPrefix(name, "data-") {
 		// Strip data- so that custom attribute heuristics below are
 		// widely applied.

src/html/template/escape_test.go

@@ -1404,6 +1404,11 @@ func TestEscapeText(t *testing.T) {
 			`<script type="TEXT/JAVASCRIPT">`,
 			context{state: stateJS, element: elementScript},
 		},
+		// covering issue 19965
+		{
+			`<script TYPE="text/template">`,
+			context{state: stateText},
+		},
 		{
 			`<script type="notjs">`,
 			context{state: stateText},

src/html/template/transition.go

@@ -106,7 +106,7 @@ func tTag(c context, s []byte) (context, int) {
 		}, len(s)
 	}
 
-	attrName := string(s[i:j])
+	attrName := strings.ToLower(string(s[i:j]))
 	if c.element == elementScript && attrName == "type" {
 		attr = attrScriptType
 	} else {