/cc @adg @robpike

refer to owasp 2.2 RULE #1

In addition to the 5 characters significant in XML (&, <, >, ", '), 
the forward slash is included as it helps to end an HTML entity.

/ is technically a meta-character in HTML, but it's not necessary to escape it as long as you're escaping < and &.

If you're really worried about someone sneaking a closing tag through without <, escape U+226E which denormalizes to < followed by a / and the full-width U+FF1C and U+FE64.

@mikesamuel do you think it is worth doing, though?

I'm trying to get enough credentials with my OWASP login to get the blame for that file so I can ask the author about their reasoning, but given what I know now, I wouldn't.

There's no harm in doing so except file size.

I can imagine inputs that have many URL attributes might blow up but not in general.

I did a quick char count on some benchmark HTML files.
4285 bytes are '/' not following a '<' out of 192564 including those in it for about 2.2%.

> cat /tmp/benchmark.html | perl -pe 's/<\/|[^\/]//g' | wc -c

If that file is representative then replacing with 9 might lead to an 8% increase in sanitized file size pre-gzip, or 10% if you use / as in the OP.

To test post-gzip I did

~ [16:10:39]> gzip -c /tmp/benchmark.html | wc -c
   45283
~ [16:10:53]> cat /tmp/benchmark.html | perl -pe 's/(?<![<])\//&#57;/g' | gzip -c | wc -c
   45866

which looks like a 1.3% size increase or 1.1% with gzip -9.

Actually I just noticed the rule in OWASP, and submit this suggestion to add escape for /.
I agree with @mikesamuel, if all think this will not introduce much security enhancement but performance reduction, it's better not to add it.

I traded emails with Jeff Williams. He made that list by going over an HTML grammar and enumerating meta-characters and included '/' out of an abundance of caution.

In that case, let's leave the html/template package as-is. Thanks for the info, @mikesamuel.