From 0d719823af1343f9921ee0293596f09e36ced0e4 Mon Sep 17 00:00:00 2001
From: Michael Anthony Knyszek <mknyszek@google.com>
Date: Tue, 4 Apr 2023 22:07:09 +0000
Subject: html/template,mime/multipart: document new GODEBUG settings

This change documents the new GODEBUG settings introduced for
html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3
as part of a security fix.

Updates #59153.
Updates #59234.

Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/482238
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 doc/godebug.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'doc')

diff --git a/doc/godebug.md b/doc/godebug.md
index 44f5dfd16d..d760e0f4ef 100644
--- a/doc/godebug.md
+++ b/doc/godebug.md
@@ -130,7 +130,19 @@ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
 
 Go 1.21 made it a run-time error to call `panic` with a nil interface value,
 controlled by the [`panicnil` setting](/pkg/builtin/#panic).
-There is no plan to remove this setting.
+
+Go 1.21 made it an error for html/template actions to appear inside of an ECMAScript 6
+template literal, controlled by the
+[`jstmpllitinterp` setting](/pkg/html/template#hdr-Security_Model).
+This behavior was backported to Go 1.19.8+ and Go 1.20.3+.
+
+Go 1.21 introduced a limit on the maximum number of MIME headers and multipart
+forms, controlled by the
+[`multipartmaxheaders` and `multipartmaxparts` settings](/pkg/mime/multipart#hdr-Limits)
+respectively.
+This behavior was backported to Go 1.19.8+ and Go 1.20.3+.
+
+There is no plan to remove any of these settings.
 
 ### Go 1.20
 
-- 
cgit v1.2.1