Fix inline script tag escaping

src/js/_enqueues/lib/auth-check.js

@@ -159,12 +159,23 @@
 			setShowTimeout();
 		});
 	}).on( 'heartbeat-tick.wp-auth-check', function( e, data ) {
-		if ( 'wp-auth-check' in data ) {
+		if ( ! ( 'wp-auth-check' in data ) ) {
+			return;
+		}
+
+		var showOrHide = function () {
 			if ( ! data['wp-auth-check'] && wrap.hasClass( 'hidden' ) && ! tempHidden ) {
 				show();
 			} else if ( data['wp-auth-check'] && ! wrap.hasClass( 'hidden' ) ) {
 				hide();
 			}
+		};
+
+		// This is necessary due to a race condition where the heartbeat-tick event may fire before DOMContentLoaded.
+		if ( wrap ) {
+			showOrHide();
+		} else {
+			$( showOrHide );
 		}
 	});
 

src/wp-admin/includes/file.php

@@ -1896,14 +1896,14 @@ function _unzip_file_pclzip( $file, $to, $needed_dirs = array() ) {
 	$uncompressed_size = 0;
 
 	// Determine any children directories needed (From within the archive).
-	foreach ( $archive_files as $file ) {
-		if ( str_starts_with( $file['filename'], '__MACOSX/' ) ) { // Skip the OS X-created __MACOSX directory.
+	foreach ( $archive_files as $archive_file ) {
+		if ( str_starts_with( $archive_file['filename'], '__MACOSX/' ) ) { // Skip the OS X-created __MACOSX directory.
 			continue;
 		}
 
-		$uncompressed_size += $file['size'];
+		$uncompressed_size += $archive_file['size'];
 
-		$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname( $file['filename'] ) );
+		$needed_dirs[] = $to . untrailingslashit( $archive_file['folder'] ? $archive_file['filename'] : dirname( $archive_file['filename'] ) );
 	}
 
 	// Enough space to unzip the file and copy its contents, with a 10% buffer.
@@ -1967,22 +1967,22 @@ function _unzip_file_pclzip( $file, $to, $needed_dirs = array() ) {
 	}
 
 	// Extract the files from the zip.
-	foreach ( $archive_files as $file ) {
-		if ( $file['folder'] ) {
+	foreach ( $archive_files as $archive_file ) {
+		if ( $archive_file['folder'] ) {
 			continue;
 		}
 
-		if ( str_starts_with( $file['filename'], '__MACOSX/' ) ) { // Don't extract the OS X-created __MACOSX directory files.
+		if ( str_starts_with( $archive_file['filename'], '__MACOSX/' ) ) { // Don't extract the OS X-created __MACOSX directory files.
 			continue;
 		}
 
 		// Don't extract invalid files:
-		if ( 0 !== validate_file( $file['filename'] ) ) {
+		if ( 0 !== validate_file( $archive_file['filename'] ) ) {
 			continue;
 		}
 
-		if ( ! $wp_filesystem->put_contents( $to . $file['filename'], $file['content'], FS_CHMOD_FILE ) ) {
-			return new WP_Error( 'copy_failed_pclzip', __( 'Could not copy file.' ), $file['filename'] );
+		if ( ! $wp_filesystem->put_contents( $to . $archive_file['filename'], $archive_file['content'], FS_CHMOD_FILE ) ) {
+			return new WP_Error( 'copy_failed_pclzip', __( 'Could not copy file.' ), $archive_file['filename'] );
 		}
 	}
 

src/wp-admin/includes/media.php

@@ -3769,8 +3769,8 @@ function wp_read_audio_metadata( $file ) {
  * @link https://github.com/JamesHeinrich/getID3/blob/master/structure.txt
  *
  * @param array $metadata The metadata returned by getID3::analyze().
- * @return int|false A UNIX timestamp for the media's creation date if available
- *                   or a boolean FALSE if a timestamp could not be determined.
+ * @return int|false A Unix timestamp for the media's creation date if available
+ *                   or a boolean false if the timestamp could not be determined.
  */
 function wp_get_media_creation_timestamp( $metadata ) {
 	$creation_date = false;

src/wp-includes/block-editor.php

@@ -774,7 +774,7 @@ function block_editor_rest_api_preload( array $preload_paths, $block_editor_cont
 		'wp-api-fetch',
 		sprintf(
 			'wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( %s ) );',
-			wp_json_encode( $preload_data, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
+			wp_json_encode( $preload_data, JSON_UNESCAPED_SLASHES )
 		),
 		'after'
 	);

src/wp-includes/functions.wp-scripts.php

@@ -130,18 +130,42 @@ function wp_print_scripts( $handles = false ) {
 function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 	_wp_scripts_maybe_doing_it_wrong( __FUNCTION__, $handle );
 
-	if ( false !== stripos( $data, '</script>' ) ) {
-		_doing_it_wrong(
-			__FUNCTION__,
-			sprintf(
-				/* translators: 1: <script>, 2: wp_add_inline_script() */
-				__( 'Do not pass %1$s tags to %2$s.' ),
-				'<code>&lt;script&gt;</code>',
-				'<code>wp_add_inline_script()</code>'
-			),
-			'4.5.0'
-		);
-		$data = trim( preg_replace( '#<script[^>]*>(.*)</script>#is', '$1', $data ) );
+	/*
+	 * Check whether the script data appears to be enclosed in an HTML <script> tag.
+	 */
+	if (
+		strlen( $data ) >= 17 &&
+		0 === substr_compare( $data, '<script', 0, 7, true ) &&
+		(
+			"\t" === $data[7] ||
+			"\n" === $data[7] ||
+			/*
+			 * \r\n and \r are normalized to \n in HTML newline normalization.
+			 * Therefore, \r always behaves like \n and terminates a tag name.
+			 */
+			"\r" === $data[7] ||
+			"\f" === $data[7] ||
+			' ' === $data[7] ||
+			'/' === $data[7] ||
+			'>' === $data[7]
+		)
+	) {
+		// Try to parse and extract the script contents.
+		$processor = new WP_HTML_Tag_Processor( $data );
+		$processor->next_token();
+		if ( $processor->get_tag() === 'SCRIPT' ) {
+			_doing_it_wrong(
+				__FUNCTION__,
+				sprintf(
+					/* translators: 1: <script>, 2: wp_add_inline_script() */
+					__( 'Do not pass %1$s tags to %2$s.' ),
+					'<code>&lt;script&gt;</code>',
+					'<code>wp_add_inline_script()</code>'
+				),
+				'4.5.0'
+			);
+			$data = $processor->get_modifiable_text();
+		}
 	}
 
 	return wp_scripts()->add_inline_script( $handle, $data, $position );