exp/template/html: fix infinite loop in escapeText on bad input

The template
    "<a="
caused an infinite loop in escape text.

The change to tTag fixes that and the change to escape.go causes
escapeText to panic on any infinite loop that does not involve
a state cycle.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5115041

src/pkg/exp/template/html/escape.go

@@ -598,6 +598,9 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
 			b.Write(s[written:cs])
 			written = i1
 		}
+		if i == i1 && c.state == c1.state {
+			panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
+		}
 		c, i = c1, i1
 	}
 

src/pkg/exp/template/html/escape_test.go

@@ -904,6 +904,10 @@ func TestErrors(t *testing.T) {
 			`<a style=font:'Arial'>`,
 			`exp/template/html:z: "'" in unquoted attr: "font:'Arial'"`,
 		},
+		{
+			`<a=foo>`,
+			`: expected space, attr name, or end of tag, but got "=foo>"`,
+		},
 	}
 
 	for _, test := range tests {

src/pkg/exp/template/html/transition.go

@@ -100,7 +100,12 @@ func tTag(c context, s []byte) (context, int) {
 		return context{state: stateError, err: err}, len(s)
 	}
 	state, attr := stateTag, attrNone
-	if i != j {
+	if i == j {
+		return context{
+			state: stateError,
+			err:   errorf(ErrBadHTML, 0, "expected space, attr name, or end of tag, but got %q", s[i:]),
+		}, len(s)
+	}
 	canonAttrName := strings.ToLower(string(s[i:j]))
 	switch attrType[canonAttrName] {
 	case contentTypeURL:
@@ -119,7 +124,6 @@ func tTag(c context, s []byte) (context, int) {
 	} else {
 		state = stateAfterName
 	}
-	}
 	return context{state: state, element: c.element, attr: attr}, j
 }