Sanitation breaking scripts in custom HTML block

[claudiulodro]

In certain scenarios, some sort of (most likely regex-based) sanitization in core WordPress converts && elements into && even when placed within a custom HTML block and using a user with unfiltered_html capabilities.

Here is a sample page content you can use to see the issue:

<!-- wp:html -->
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<!-- /wp:html -->

<!-- wp:html -->
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
    alert('worked');
}
</script>
<!-- /wp:html -->

On the frontend, this will be output as:

<script>
This should work: &&
This doesn't: <= &#038;&#038;
> && After the "tag" is closed it works again
</script>

<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo &#038;&#038; true ) {
    alert('worked');
}
</script>

The reason I believe this is a regex issue is because only && characters after <= characters get converted to entities, and after a > character the conversion stops and && are output as normal. My theory is it's some sort of regex-based sanitization for html attributes, but I haven't been able to track down which one specifically.

[claudiulodro]

Note: the issue is probably not from the Gutenberg editor, as ​the custom HTML block is purely JS and the post content saves into the database correctly.

I reproduced the issue on a clean site running WP 5.4.2 with Twenty Twenty theme and no active plugins.

[peterwilsoncc]

This was discussed in a triage session today.

This seems very similar to #34698 which involved the santization functions rather than the editor so I've moved this over to the formatting component.

[sabernhardt]

This was reported as early as #43785, so I'll close as a duplicate.