all: update comment URLs from HTTP to HTTPS, where possible

Each URL was manually verified to ensure it did not serve up incorrect
content.

Change-Id: I4dc846227af95a73ee9a3074d0c379ff0fa955df
Reviewed-on: https://go-review.googlesource.com/115798
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>

9 files changed, 24 insertions, 24 deletions

diff --git a/src/html/template/attr.go b/src/html/template/attr.go
index 92d2789e80..22922e6038 100644
--- a/src/html/template/attr.go
+++ b/src/html/template/attr.go
@@ -13,9 +13,9 @@ import (
 // other content, or affects the contents, idempotency, or credentials of a
 // network message, then the value in this map is contentTypeUnsafe.
 // This map is derived from HTML5, specifically
-// http://www.w3.org/TR/html5/Overview.html#attributes-1
+// https://www.w3.org/TR/html5/Overview.html#attributes-1
 // as well as "%URI"-typed attributes from
-// http://www.w3.org/TR/html4/index/attributes.html
+// https://www.w3.org/TR/html4/index/attributes.html
 var attrTypeMap = map[string]contentType{
 	"accept":          contentTypePlain,
 	"accept-charset":  contentTypeUnsafe,
@@ -90,7 +90,7 @@ var attrTypeMap = map[string]contentType{
 	"name":            contentTypePlain,
 	"novalidate":      contentTypeUnsafe,
 	// Skip handler names from
-	// http://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects
+	// https://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects
 	// since we have special handling in attrType.
 	"open":        contentTypePlain,
 	"optimum":     contentTypePlain,
@@ -160,7 +160,7 @@ func attrType(name string) contentType {
 
 	// Heuristics to prevent "javascript:..." injection in custom
 	// data attributes and custom attributes like g:tweetUrl.
-	// http://www.w3.org/TR/html5/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes
+	// https://www.w3.org/TR/html5/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes
 	// "Custom data attributes are intended to store custom data
 	//  private to the page or application, for which there are no
 	//  more appropriate attributes or elements."
diff --git a/src/html/template/content.go b/src/html/template/content.go
index e7cdedc3b6..4aadf64df2 100644
--- a/src/html/template/content.go
+++ b/src/html/template/content.go
@@ -16,7 +16,7 @@ type (
 	//   2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`.
 	//   3. CSS3 declaration productions, such as `color: red; margin: 2px`.
 	//   4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`.
-	// See http://www.w3.org/TR/css3-syntax/#parsing and
+	// See https://www.w3.org/TR/css3-syntax/#parsing and
 	// https://web.archive.org/web/20090211114933/http://w3.org/TR/css3-syntax#style
 	//
 	// Use of this type presents a security risk:
@@ -85,7 +85,7 @@ type (
 	URL string
 
 	// Srcset encapsulates a known safe srcset attribute
-	// (see http://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-img-srcset).
+	// (see https://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-img-srcset).
 	//
 	// Use of this type presents a security risk:
 	// the encapsulated content should come from a trusted source,
diff --git a/src/html/template/context.go b/src/html/template/context.go
index fdbf7e25ee..45be3a6a9f 100644
--- a/src/html/template/context.go
+++ b/src/html/template/context.go
@@ -13,7 +13,7 @@ import (
 //
 // The zero value of type context is the start context for a template that
 // produces an HTML fragment as defined at
-// http://www.w3.org/TR/html5/syntax.html#the-end
+// https://www.w3.org/TR/html5/syntax.html#the-end
 // where the context element is null.
 type context struct {
 	state   state
@@ -98,7 +98,7 @@ const (
 	// stateHTMLCmt occurs inside an <!-- HTML comment -->.
 	stateHTMLCmt
 	// stateRCDATA occurs inside an RCDATA element (<textarea> or <title>)
-	// as described at http://www.w3.org/TR/html5/syntax.html#elements-0
+	// as described at https://www.w3.org/TR/html5/syntax.html#elements-0
 	stateRCDATA
 	// stateAttr occurs inside an HTML attribute whose content is text.
 	stateAttr
diff --git a/src/html/template/css.go b/src/html/template/css.go
index 9154d8636d..1587af8385 100644
--- a/src/html/template/css.go
+++ b/src/html/template/css.go
@@ -28,7 +28,7 @@ func endsWithCSSKeyword(b []byte, kw string) bool {
 	}
 	// Many CSS keywords, such as "!important" can have characters encoded,
 	// but the URI production does not allow that according to
-	// http://www.w3.org/TR/css3-syntax/#TOK-URI
+	// https://www.w3.org/TR/css3-syntax/#TOK-URI
 	// This does not attempt to recognize encoded keywords. For example,
 	// given "\75\72\6c" and "url" this return false.
 	return string(bytes.ToLower(b[i:])) == kw
@@ -38,7 +38,7 @@ func endsWithCSSKeyword(b []byte, kw string) bool {
 func isCSSNmchar(r rune) bool {
 	// Based on the CSS3 nmchar production but ignores multi-rune escape
 	// sequences.
-	// http://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar
+	// https://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar
 	return 'a' <= r && r <= 'z' ||
 		'A' <= r && r <= 'Z' ||
 		'0' <= r && r <= '9' ||
@@ -53,7 +53,7 @@ func isCSSNmchar(r rune) bool {
 // decodeCSS decodes CSS3 escapes given a sequence of stringchars.
 // If there is no change, it returns the input, otherwise it returns a slice
 // backed by a new array.
-// http://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.
+// https://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.
 func decodeCSS(s []byte) []byte {
 	i := bytes.IndexByte(s, '\\')
 	if i == -1 {
@@ -72,10 +72,10 @@ func decodeCSS(s []byte) []byte {
 		if len(s) < 2 {
 			break
 		}
-		// http://www.w3.org/TR/css3-syntax/#SUBTOK-escape
+		// https://www.w3.org/TR/css3-syntax/#SUBTOK-escape
 		// escape ::= unicode | '\' [#x20-#x7E#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF]
 		if isHex(s[1]) {
-			// http://www.w3.org/TR/css3-syntax/#SUBTOK-unicode
+			// https://www.w3.org/TR/css3-syntax/#SUBTOK-unicode
 			//   unicode ::= '\' [0-9a-fA-F]{1,6} wc?
 			j := 2
 			for j < len(s) && j < 7 && isHex(s[j]) {
@@ -222,7 +222,7 @@ func cssValueFilter(args ...interface{}) string {
 	b, id := decodeCSS([]byte(s)), make([]byte, 0, 64)
 
 	// CSS3 error handling is specified as honoring string boundaries per
-	// http://www.w3.org/TR/css3-syntax/#error-handling :
+	// https://www.w3.org/TR/css3-syntax/#error-handling :
 	//     Malformed declarations. User agents must handle unexpected
 	//     tokens encountered while parsing a declaration by reading until
 	//     the end of the declaration, while observing the rules for
diff --git a/src/html/template/escape.go b/src/html/template/escape.go
index f87e9a69ea..8517620d3c 100644
--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
@@ -668,7 +668,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
 		} else if isComment(c.state) && c.delim == delimNone {
 			switch c.state {
 			case stateJSBlockCmt:
-				// http://es5.github.com/#x7.4:
+				// https://es5.github.com/#x7.4:
 				// "Comments behave like white space and are
 				// discarded except that, if a MultiLineComment
 				// contains a line terminator character, then
@@ -731,7 +731,7 @@ func contextAfterText(c context, s []byte) (context, int) {
 		i = len(s)
 	}
 	if c.delim == delimSpaceOrTagEnd {
-		// http://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state
+		// https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state
 		// lists the runes below as error characters.
 		// Error out because HTML parsers may differ on whether
 		// "<a id= onclick=f("     ends inside id's or onclick's value,
diff --git a/src/html/template/html.go b/src/html/template/html.go
index de4aa4abb2..2ea5a7d4bc 100644
--- a/src/html/template/html.go
+++ b/src/html/template/html.go
@@ -50,12 +50,12 @@ func htmlEscaper(args ...interface{}) string {
 // htmlReplacementTable contains the runes that need to be escaped
 // inside a quoted attribute value or in a text node.
 var htmlReplacementTable = []string{
-	// http://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state
+	// https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state
 	// U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT
 	// CHARACTER character to the current attribute's value.
 	// "
 	// and similarly
-	// http://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
+	// https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
 	0:    "\uFFFD",
 	'"':  "&#34;",
 	'&':  "&amp;",
diff --git a/src/html/template/js.go b/src/html/template/js.go
index e02fdb9751..33a18b4186 100644
--- a/src/html/template/js.go
+++ b/src/html/template/js.go
@@ -24,7 +24,7 @@ import (
 // "x = ++/foo/i" which is quite different than "x++/foo/i", but is not known to
 // fail on any known useful programs. It is based on the draft
 // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
-// http://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+// https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
 func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
 	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
 	if len(s) == 0 {
diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
index cf2a0d2987..12a850d6e3 100644
--- a/src/html/template/js_test.go
+++ b/src/html/template/js_test.go
@@ -191,7 +191,7 @@ func TestJSStrEscaper(t *testing.T) {
 		{"</script>", `\x3c\/script\x3e`},
 		{"<![CDATA[", `\x3c![CDATA[`},
 		{"]]>", `]]\x3e`},
-		// http://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
+		// https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
 		//   "The text in style, script, title, and textarea elements
 		//   must not have an escaping text span start that is not
 		//   followed by an escaping text span end."
@@ -203,7 +203,7 @@ func TestJSStrEscaper(t *testing.T) {
 		// injection followed by an HTML text injection.
 		{"<!--", `\x3c!--`},
 		{"-->", `--\x3e`},
-		// From http://code.google.com/p/doctype/wiki/ArticleUtf7
+		// From https://code.google.com/p/doctype/wiki/ArticleUtf7
 		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
 			`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
 		},
diff --git a/src/html/template/transition.go b/src/html/template/transition.go
index c72cf1ea60..06df679330 100644
--- a/src/html/template/transition.go
+++ b/src/html/template/transition.go
@@ -254,7 +254,7 @@ func tURL(c context, s []byte) (context, int) {
 		c.urlPart = urlPartQueryOrFrag
 	} else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone {
 		// HTML5 uses "Valid URL potentially surrounded by spaces" for
-		// attrs: http://www.w3.org/TR/html5/index.html#attributes-1
+		// attrs: https://www.w3.org/TR/html5/index.html#attributes-1
 		c.urlPart = urlPartPreQuery
 	}
 	return c, len(s)
@@ -380,7 +380,7 @@ func tLineCmt(c context, s []byte) (context, int) {
 		// are supported by the 4 major browsers.
 		// This defines line comments as
 		//     LINECOMMENT ::= "//" [^\n\f\d]*
-		// since http://www.w3.org/TR/css3-syntax/#SUBTOK-nl defines
+		// since https://www.w3.org/TR/css3-syntax/#SUBTOK-nl defines
 		// newlines:
 		//     nl ::= #xA | #xD #xA | #xD | #xC
 	default:
@@ -392,7 +392,7 @@ func tLineCmt(c context, s []byte) (context, int) {
 		return c, len(s)
 	}
 	c.state = endState
-	// Per section 7.4 of EcmaScript 5 : http://es5.github.com/#x7.4
+	// Per section 7.4 of EcmaScript 5 : https://es5.github.com/#x7.4
 	// "However, the LineTerminator at the end of the line is not
 	// considered to be part of the single-line comment; it is
 	// recognized separately by the lexical grammar and becomes part