HTML API: Prevent adding dangerous double-escape SCRIPT contents.

sirreal · sirreal · commit d4a1644618f5 · 2025-09-04T14:40:27.000Z
Prevent WP_Tag_Processor::set_modifiable_text() from allowing SCRIPT contents with "<script" like it does with "</script". Either of these sequences may affect the script element's close. Developed in WordPress/wordpress-develop#9560. Props jonsurrell, westonruter, dmsnell. See #63738. Built from https://develop.svn.wordpress.org/trunk@60706 git-svn-id: http://core.svn.wordpress.org/trunk@60042 1a063a9b-81f0-0310-95a4-ce76da25c4cd
diff --git a/wp-includes/html-api/class-wp-html-tag-processor.php b/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3780,17 +3780,28 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
-				/*
+				/**
 				 * This is over-protective, but ensures the update doesn't break
-				 * out of the SCRIPT element. A more thorough check would need to
-				 * ensure that the script closing tag doesn't exist, and isn't
-				 * also "hidden" inside the script double-escaped state.
+				 * the HTML structure of the SCRIPT element.
+				 *
+				 * More thorough analysis could track the HTML tokenizer states
+				 * and to ensure that the SCRIPT element closes at the expected
+				 * SCRIPT close tag as is done in {@see ::skip_script_data()}.
 				 *
-				 * It may seem like replacing `</script` with `<\/script` would
-				 * properly escape these things, but this could mask regex patterns
-				 * that previously worked. Resolve this by not sending `</script`
+				 * A SCRIPT element could be closed prematurely by contents
+				 * like `</script>`. A SCRIPT element could be prevented from
+				 * closing by contents like `<!--<script>`.
+				 *
+				 * The following strings are essential for dangerous content,
+				 * although they are insufficient on their own. This trade-off
+				 * prevents dangerous scripts from being sent to the browser.
+				 * It is also unlikely to produce HTML that may confuse more
+				 * basic HTML tooling.
 				 */
-				if ( false !== stripos( $plaintext_content, '</script' ) ) {
+				if (
+					false !== stripos( $plaintext_content, '</script' ) ||
+					false !== stripos( $plaintext_content, '<script' )
+				) {
 					return false;
 				}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.9-alpha-60705';
+$wp_version = '6.9-alpha-60706';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`*`
`17`	`17`	`* @global string $wp_version`
`18`	`18`	`*/`
`19`		`-$wp_version = '6.9-alpha-60705';`
	`19`	`+$wp_version = '6.9-alpha-60706';`
`20`	`20`
`21`	`21`	`/**`
`22`	`22`	`* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.`