html/template: URLs in meta content attribute actions are not escaped in html/template
An input escaping flaw has been discovered in the golang html/template module. Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added...