encoding/xml: validate element and attribute names in Encoder

[mohammadmseet-hue]

The xml.Encoder and xml.Marshal functions write element and attribute
names directly to the output without validation. If an application
passes attacker-controlled strings as Name.Local (via XMLName fields,
EncodeElement, or EncodeToken), the output contains unescaped XML
special characters, enabling XML injection.

This is inconsistent with the existing validation for ProcInst
targets (which calls isNameString at marshal.go:240) and the
escaping of namespace values (which calls EscapeString).

A crafted Name.Local value can inject arbitrary XML elements:

item := struct {
    XMLName xml.Name
    Value   string
}{
    XMLName: xml.Name{Local: "x\"><script>..."},
    Value:   "safe",
}
out, _ := xml.Marshal(item)
// Produces: <x"><script>...>safe</x"><script>...>

This affects Marshal, MarshalIndent, EncodeToken, and
EncodeElement when Name.Local is attacker-controlled.

Attribute names are equally affected via EncodeToken with
StartElement containing crafted Attr Name.Local values.

The fix adds isNameString validation to writeStart (for both
element and attribute names) and writeEnd, matching the
validation already applied to ProcInst targets. Invalid names
now return an error instead of producing malformed XML.

Added TestEncodeTokenInvalidNames and TestMarshalInvalidXMLName.

[gopherbot]

This PR (HEAD: dfe2abe) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/763540.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/763540.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 76631d0) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/763540.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 3:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/763540.
After addressing review feedback, remember to publish your drafts!