Scripts: Use HTML API to generate script tags with improved safety

[jonsurrell]

The HTML API can produce SCRIPT tags that are safe, or reject the script tags if no safe tag can be produced.

SCRIPT tags have complicated and unintuitive parsing rules that make them difficult to author correctly. Currently, authors need to provide safe JavaScript and/or correctly escaped JSON in order to produce safe HTML SCRIPT tags.

[61447] added the ability to automatically escape JSON and JavaScript content when problematic strings are discovered, making the HTML API especially well-suited to producing script tags.

This is similar to change [61418] where the HTML API is used to generate style tags.

This is well documented by issues like #40737, #62797, #63851, and #51159.

This is a follow up to #64419.

The HTML API can produce SCRIPT tags that are safe, or reject the script tags if no safe tag can be produced.

SCRIPT tags have complicated and unintuitive parsing rules that make them difficult to author correctly. Currently, authors need to provide safe JavaScript and/or correctly escaped JSON in order to produce safe HTML SCRIPT tags.

[61447] added the ability to automatically escape JSON and JavaScript content when problematic strings are discovered, making the HTML API especially well-suited to producing script tags.

This is similar to change [61418] where the HTML API is used to generate style tags.

This is well documented by issues like #40737, #62797, #63851, and #51159.

This is a follow up to #64419.

✅ ~Includes #10635~ (merged in r61477).

Trac ticket: https://core.trac.wordpress.org/ticket/64500

[61477] has been merged and this PR has been updated. It's ready for review.

It includes tests updates in ​https://github.com/WordPress/wordpress-develop/pull/10727 which can be landed separately.

Add tests that verify the behavior of wp_get_inline_script_tag() wp_get_script_tag() attribute handling. This is relevant for the work in ​https://github.com/WordPress/wordpress-develop/pull/10639. See ​https://github.com/WordPress/wordpress-develop/pull/10639#discussion_r2687294023.

Tests are added using assertEqualHTML() assertions that verify the behavior when:

• Different attribute values and types are provided.
• Repeated attribute names are provided (correct order handling)

Trac ticket: https://core.trac.wordpress.org/ticket/64500

A nice improvement with this change:

echo wp_get_script_tag( array( "<" => "less-than" ) );

Warns:

Notice: Function WP_HTML_Tag_Processor::set_attribute was called <strong>incorrectly</strong>. Invalid attribute name.

And prints:

<script></script>

On trunk, there would be no warning and the following would be printed (because esc_attr(), although unsuitable, was used on the attribute name):

<script &lt;="less-than"></script>

This SCRIPT tag has an attribute literally named <.

I'd like to land ​https://github.com/WordPress/wordpress-develop/pull/10728 first so it's clear that the attribute handling is unchanged from trunk in this change.

[jonsurrell]

In 61482:

Scripts: Add script tag attribute handling tests.

Add tests that verify the behavior of wp_get_inline_script_tag() and wp_get_script_tag() attribute handling.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10728.

Props jonsurrell, dmsnell.
See #64500.

Merged in r61482.

[jonsurrell]

In 61485:

Script Loader: Use HTML API to generate SCRIPT tags.

Script tags have complicated and unintuitive parsing rules that make them difficult to author correctly. The HTML API automatically escapes script tag contents as necessary and will set attributes correctly. Using the HTML API to generate SCRIPT tags improves safety when working with SCRIPT tags, resolving a class of issues that have manifested repeatedly.

Changeset [61418] applied the HTML API to generate style tags in a similar way.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10639.

Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.