html: escape single quotes in writeQuoted when both quote types present

[mohammadmseet-hue]

writeQuoted selects single quotes when the string contains double
quotes, but does not handle the case where the string contains
both quote types. In that case, the single quotes inside the
string break out of the quoted context, allowing injection of
arbitrary HTML into the rendered output.

Root cause: when s contains both double and single quotes,
writeQuoted chooses single-quote as the delimiter but writes s
unescaped, so any single quote in s terminates the quoted
attribute and the remainder is interpreted as raw HTML.

Fix: when both quote types are present, escape the delimiter
character inside the string using the HTML entity for single
quote.

Security context: CVE-2023-3978 established that html.Render
is a security boundary. This fix addresses a remaining case
where Render can produce output that changes semantics when
re-parsed.

[gopherbot]

This PR (HEAD: 6097f3c) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/net/+/760000.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760000.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Nicholas Husin:

Patch Set 1:

(3 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760000.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 8676a0e) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/net/+/760000.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

(4 comments)

Addressed all feedback. PS2 adds tests and cleans up commit message.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760000.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

(4 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760000.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: aa31577) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/net/+/760000.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.