wptexturize inconsistently encodes & to & in Custom HTML blocks, breaking JavaScript

[noitidart]

The wptexturize function inconsistently converts & to & inside Custom HTML blocks, breaking JavaScript code that uses the && operator. The inconsistency occurs when the JavaScript contains < comparison operators, which causes wptexturize's regex-based parser to misidentify HTML tag boundaries.

Steps to Reproduce

1. Create a post/page with a Custom HTML block
2. Add the following JavaScript:

<script>
(function() {
  if (5 < 1) {
    // never
  }

  if (true && true) {
    alert('if you see this alert - then the ampersands were not encoded')
  }
})()
</script>

3. View the page source on the frontend

Expected Behavior

The && operator should remain unchanged:

if (true && true) {

Actual Behavior

The && operator gets encoded to &&:

if (true && true) {

This breaks the JavaScript with a syntax error.

Root Cause

In wp-includes/formatting.php, wptexturize() uses regex to identify HTML tag boundaries. When JavaScript contains < characters (e.g., if (5 < 1)), the parser incorrectly treats this as an HTML tag start, causing the <script> tag's content to be partially or fully processed by the ampersand-encoding regex at line 299:

$curl = preg_replace( '/&(?!#(?:\d+|x[a-f0-9]+);|[a-z1-4]{1,8};)/i', '&', $curl );

The <script> tag is in $default_no_texturize_tags, but the protection fails when the parser misidentifies tag boundaries.

Environment

• WordPress: 6.9.1 (trunk)
• Theme: Any block theme (Full Site Editing)
• PHP: 8.x

[noitidart]

Correction, my WP is 6.8.2

[dlh]

Hi @noitidart, and welcome to Trac!

This issue was previously reported in #43785. A patch is still needed, so if you're interested in developing one, please propose it there!