exp/template/html: don't normalize '<' in doctypes.

The normalization that prevents element name and comment injection in
  <{{.}}
by converting it to
  &lt;{{.}}
breaks
  <!DOCTYPE html>

Instead of splitting states to have a start of document state and a text
state, I whitelist <!DOCTYPE.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5131051

src/pkg/exp/template/html/escape.go

@@ -549,6 +549,8 @@ var delimEnds = [...]string{
 	delimSpaceOrTagEnd: " \t\n\f\r>",
 }
 
+var doctypeBytes = []byte("<!DOCTYPE")
+
 // escapeText escapes a text template node.
 func (e *escaper) escapeText(c context, n *parse.TextNode) context {
 	s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
@@ -566,7 +568,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
 				}
 			}
 			for j := i; j < end; j++ {
-				if s[j] == '<' {
+				if s[j] == '<' && !bytes.HasPrefix(s[j:], doctypeBytes) {
 					b.Write(s[written:j])
 					b.WriteString("&lt;")
 					written = j + 1

src/pkg/exp/template/html/escape_test.go

@@ -420,6 +420,16 @@ func TestEscape(t *testing.T) {
 			"a<<!-- --><!-- -->b",
 			"a&lt;b",
 		},
+		{
+			"HTML doctype not normalized",
+			"<!DOCTYPE html>Hello, World!",
+			"<!DOCTYPE html>Hello, World!",
+		},
+		{
+			"No doctype injection",
+			`<!{{"DOCTYPE"}}`,
+			"&lt;!DOCTYPE",
+		},
 		{
 			"Split HTML comment",
 			"<b>Hello, <!-- name of {{if .T}}city -->{{.C}}{{else}}world -->{{.W}}{{end}}</b>",