Changeset 60706 for trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php

Timestamp:

09/04/2025 02:38:15 PM (2 months ago)

Author:

jonsurrell

Message:

HTML API: Prevent adding dangerous double-escape SCRIPT contents.

Prevent WP_Tag_Processor::set_modifiable_text() from allowing SCRIPT contents with "<script" like it does with "</script". Either of these sequences may affect the script element's close.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9560.

Props jonsurrell, westonruter, dmsnell.
See #63738.

File:

• trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php (modified) (1 diff)

trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php

@@ -491 +491 @@
             'SCRIPT with </script>'            => array( '<script>Replace me</script>', 'Just a </script>' ),
             'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),
+            'SCRIPT with "<script " opener'    => array( '<script>Replace me</script>', '<!--<script ' ),
         );
     }