go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: I2715ca45bf0dbe31bf912ab365632cb80be544ca Reviewed-on: https://go-review.googlesource.com/c/net/+/710079 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com>

html: impose open element stack size limit The HTML specification contains a number of algorithms which are quadratic in complexity by design. Instead of adding complicated workarounds to prevent these cases from becoming extremely expensive in pathological cases, we impose a limit of 512 to the size of the stack of open elements. It is extremely unlikely that non-adversarial HTML documents will ever hit this limit (but if we see cases of this, we may want to make the limit configurable via a ParseOption). Thanks to Guido Vranken and Jakub Ciolek for both independently reporting this issue. Fixes CVE-2025-47911 Fixes golang/go#75682 Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad Reviewed-on: https://go-review.googlesource.com/c/net/+/709876 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

http2: fix race condition when disabling goroutine debugging for one … …test Fixes golang/go#66519 Change-Id: I7aecf20db44caaaf49754d62db193b8c42f3c63a Reviewed-on: https://go-review.googlesource.com/c/net/+/701836 Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: Id3afb41fc96c3eaa63241116bb332d4779e6b5f6 Reviewed-on: https://go-review.googlesource.com/c/net/+/694175 Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: Icb45ef272d4eb5920b8e531ba311b3efb42af72c Reviewed-on: https://go-review.googlesource.com/c/net/+/687275 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: Ief62c666e731ea5aa7bbf9b6be66c47cb463f867 Reviewed-on: https://go-review.googlesource.com/c/net/+/679315 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org>

go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: Id9bf9fda6785763f418cbe165472193bb23c7401 Reviewed-on: https://go-review.googlesource.com/c/net/+/670096 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org>

go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: I9999157ec9379b23f07925ac574003001fdd773c Reviewed-on: https://go-review.googlesource.com/c/net/+/662836 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

html: properly handle trailing solidus in unquoted attribute value in… … foreign content The parser properly treats tags like <p a=/> as <p a="/">, but the tokenizer emits the SelfClosingTagToken token incorrectly. When the parser is used to parse foreign content, this results in an incorrect DOM. Thanks to Sean Ng (https://ensy.zip) for reporting this issue. Fixes golang/go#73070 Fixes CVE-2025-22872 Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org>

go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: I1572a13b12dce8520f2b7f74c6516a6f1f6c9822 Reviewed-on: https://go-review.googlesource.com/c/net/+/655038 Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com>