Fix inline script tag escaping #14
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sirreal
force-pushed
the
fix/62797-inline-script-tag-escape-alternate
branch
2 times, most recently
from
3052284 to
4b9aa42
Compare
sirreal
commented
Jul 30, 2025
There was a problem hiding this comment.
Pull Request Overview
This pull request fixes inline script tag escaping to prevent script injection vulnerabilities when embedding data in HTML script tags. The changes improve security by properly escaping dangerous patterns that could break out of script contexts.
- Implements proper escaping for script tag content that could close or interfere with script elements
- Adds comprehensive detection of JavaScript vs non-JavaScript script tags based on HTML specification
- Updates inline script functions to use the new HTML Tag Processor for safe content handling
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
src/wp-includes/html-api/class-wp-html-tag-processor.php |
Adds JavaScript script tag detection and Unicode escaping for dangerous patterns |
src/wp-includes/script-loader.php |
Updates inline script generation to use HTML Tag Processor for safe escaping |
src/wp-includes/functions.wp-scripts.php |
Improves script tag detection and content extraction using HTML Tag Processor |
src/wp-includes/block-editor.php |
Adds JSON_UNESCAPED_SLASHES flag to prevent double-escaping of slashes |
tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php |
Adds comprehensive test coverage for script tag escaping scenarios |
tests/phpunit/tests/blocks/editor.php |
Updates test expectations and adds security test for script tag closure |
| * | ||
| * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element | ||
| * | ||
| * @since {WP_VERSION} |
There was a problem hiding this comment.
The @SInCE tag contains a placeholder '{WP_VERSION}' instead of an actual version number. This should be replaced with the specific WordPress version when this feature is released.
Suggested change
| * @since {WP_VERSION} | |
| * @since 6.5.0 |
| * JavaScript can be safely escaped. | ||
| * Non-JavaScript script tags have unknown semantics. | ||
| * | ||
| * @todo consider applying to JSON and importmap script tags as well. |
There was a problem hiding this comment.
This TODO comment suggests unfinished work. Consider either implementing the suggested feature for JSON and importmap script tags or removing this comment if it's not planned for this release.
Suggested change
| * @todo consider applying to JSON and importmap script tags as well. |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ), | ||
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ), | ||
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ), | ||
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), |
There was a problem hiding this comment.
The expected output contains double backslashes '\u0073' which appears incorrect. It should be '\u0073' (single backslash) to represent the Unicode escape sequence properly.
Suggested change
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), | |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\u0073cript\r></script>" ), | |
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\u0073cript\r\n></script>" ), | |
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\u0073cript\r></script>" ), | |
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\u0073cript\r\n></script>" ), |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ), | ||
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ), | ||
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ), | ||
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), |
There was a problem hiding this comment.
The expected output contains double backslashes '\u0073' which appears incorrect. It should be '\u0073' (single backslash) to represent the Unicode escape sequence properly.
Suggested change
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), | |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\u0073cript\r></script>" ), | |
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\u0073cript\r\n></script>" ), | |
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\u0073cript\r></script>" ), | |
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\u0073cript\r\n></script>" ), |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ), | ||
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ), | ||
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ), | ||
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), |
There was a problem hiding this comment.
The expected output contains double backslashes '\u0073' which appears incorrect. It should be '\u0073' (single backslash) to represent the Unicode escape sequence properly.
Suggested change
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), | |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\u0073cript\r></script>" ), | |
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\u0073cript\r\n></script>" ), | |
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\u0073cript\r></script>" ), | |
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\u0073cript\r\n></script>" ), |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ), | ||
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ), | ||
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ), | ||
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), |
There was a problem hiding this comment.
The expected output contains double backslashes '\u0073' which appears incorrect. It should be '\u0073' (single backslash) to represent the Unicode escape sequence properly.
Suggested change
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ), | |
| 'Tricky script open tag with \r' => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\u0073cript\r></script>" ), | |
| 'Tricky script open tag with \r\n' => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\u0073cript\r\n></script>" ), | |
| 'Tricky script close tag with \r' => array( '<script></script>', "// </script\r>", "<script>// </\u0073cript\r></script>" ), | |
| 'Tricky script close tag with \r\n' => array( '<script></script>', "// </script\r\n>", "<script>// </\u0073cript\r\n></script>" ), |
sirreal
commented
Nov 28, 2025
sirreal
commented
Nov 28, 2025
| */ | ||
| if ( $this->is_javascript_script_tag() ) { | ||
| $plaintext_content = preg_replace_callback( | ||
| '~<(/?)(s)(cript)([\t\r\n\f />])~i', |
Owner
Author
There was a problem hiding this comment.
We're only interested in 3 parts:
- Leading
sorS(relevant)- trailing
Fewer groups and later concats.
sirreal
force-pushed
the
fix/62797-inline-script-tag-escape-alternate
branch
from
d58831e to
410089d
Compare
This ensures that not only the return values match the expected results, but also that their type is the same. Going forward, stricter type checking by using `assertSame()` should generally be preferred to `assertEquals()` where appropriate, to make the tests more reliable. Follow-up to [61032], [61045]. See #64324. git-svn-id: https://develop.svn.wordpress.org/trunk@61373 602fd350-edb4-49c9-b593-d223f7449a82
sirreal
force-pushed
the
fix/62797-inline-script-tag-escape-alternate
branch
from
8b87248 to
e4679ca
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
|
|
||
| /** | ||
| * @ticket TBD |
There was a problem hiding this comment.
The ticket number is marked as "TBD" (To Be Determined). This should be replaced with the actual WordPress Trac ticket number before merging.
Suggested change
| * @ticket TBD | |
| * @ticket 62835 |
| } | ||
|
|
||
| /** | ||
| * @ticket TBD |
There was a problem hiding this comment.
The ticket number is marked as "TBD" (To Be Determined). This should be replaced with the actual WordPress Trac ticket number before merging.
| } | ||
|
|
||
| /** | ||
| * @ticket TBD |
There was a problem hiding this comment.
The ticket number is marked as "TBD" (To Be Determined). This should be replaced with the actual WordPress Trac ticket number before merging.
Suggested change
| * @ticket TBD | |
| * @ticket 12345 |
| /** | ||
| * Indicates if the currently matched tag is a JSON script tag. | ||
| * | ||
| * @since {WP_VERSION} |
…nzip_file` filters. This commit ensures that the original `$file` argument passed to the function is not unintentionally overwritten by the use of the same variable name in two `foreach` loops. Follow-up to [56689]. Props sanchothefat, westonruter, mukesh27, SergeyBiryukov. Fixes #64398. git-svn-id: https://develop.svn.wordpress.org/trunk@61374 602fd350-edb4-49c9-b593-d223f7449a82
Fixes PHPCS warning: `Squiz.WhiteSpace.SuperfluousWhitespace.EndLine`. Follow-up to [61374]. See #64398. git-svn-id: https://develop.svn.wordpress.org/trunk@61375 602fd350-edb4-49c9-b593-d223f7449a82
… when invalid taxonomy supplied. Developed in WordPress#10621 Props owolter, westonruter. Fixes #64406. git-svn-id: https://develop.svn.wordpress.org/trunk@61376 602fd350-edb4-49c9-b593-d223f7449a82
This ensures that the `url` parameter is not marked as invalid due to `wp_http_validate_url()` failing because of a `gethostbyname()` failure. Follow-up to [51973]. Props westonruter, swissspidy. See #54358. Fixes #64412. git-svn-id: https://develop.svn.wordpress.org/trunk@61377 602fd350-edb4-49c9-b593-d223f7449a82
…tick` may fire before `DOMContentLoaded`. Developed in WordPress#10624 Follow-up to [23805], [50547]. Props westonruter, ArtZ91, siliconforks. See #23295. Fixes #64403. git-svn-id: https://develop.svn.wordpress.org/trunk@61379 602fd350-edb4-49c9-b593-d223f7449a82
…ency. Follow-up to [19687], [41746]. See #64224. git-svn-id: https://develop.svn.wordpress.org/trunk@61380 602fd350-edb4-49c9-b593-d223f7449a82
This helps demonstrate the effectiveness.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
These tricky sequences do terminate a tag name because they are handled when normalizing newlines in pre-processing (before tokenization).
Add regex pattern explanation
sirreal
force-pushed
the
fix/62797-inline-script-tag-escape-alternate
branch
from
1953d44 to
8cf2527
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trac ticket:
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.