html/template: grow srcset buffer in proportion to need

In particular, avoid exponential memory usage from growing it in
proportion to its current size.

Fixes #24731

Change-Id: I277d2fbac2ef7b00ae4b83d6d1dcd7f2e630a5cd
Reviewed-on: https://go-review.googlesource.com/105155Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>

src/html/template/escape_test.go

@@ -656,6 +656,11 @@ func TestEscape(t *testing.T) {
 			// The second URL is also filtered.
 			`<img srcset="/not-an-image#,#ZgotmplZ">`,
 		},
+		{
+			"srcset buffer growth",
+			`<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`,
+			`<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`,
+		},
 	}
 
 	for _, test := range tests {

src/html/template/url.go

@@ -88,7 +88,7 @@ func urlProcessor(norm bool, args ...interface{}) string {
 // processURLOnto appends a normalized URL corresponding to its input to b
 // and returns true if the appended content differs from s.
 func processURLOnto(s string, norm bool, b *bytes.Buffer) bool {
-	b.Grow(b.Cap() + len(s) + 16)
+	b.Grow(len(s) + 16)
 	written := 0
 	// The byte loop below assumes that all URLs use UTF-8 as the
 	// content-encoding. This is similar to the URI to IRI encoding scheme