CVE-2026-27142 fixed a vulnerability in which URLs were
not correctly escaped inside of a <meta> tag's
<content> attribute. If the URL content were to
insert ASCII whitespaces around the '=' rune inside of the
<content> attribute, the escaper would fail to
similarly escape it, leading to XSS.
If a trusted template author were to write a <script>
tag containing an empty 'type' attribute or a 'type'
attribute with an ASCII whitespace, the execution of the
template would incorrectly escape any data passed into the
<script> block.