HTML API: Prevent adding dangerous double-escape SCRIPT contents.

sirreal · spacedmonkey · commit 140b2422ce30 · 2025-09-24T21:56:57.000+01:00
Prevent WP_Tag_Processor::set_modifiable_text() from allowing SCRIPT contents with "<script" like it does with "</script". Either of these sequences may affect the script element's close. Developed in WordPress#9560. Props jonsurrell, westonruter, dmsnell. See #63738. git-svn-id: https://develop.svn.wordpress.org/trunk@60706 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3780,17 +3780,28 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
-				/*
+				/**
 				 * This is over-protective, but ensures the update doesn't break
-				 * out of the SCRIPT element. A more thorough check would need to
-				 * ensure that the script closing tag doesn't exist, and isn't
-				 * also "hidden" inside the script double-escaped state.
+				 * the HTML structure of the SCRIPT element.
+				 *
+				 * More thorough analysis could track the HTML tokenizer states
+				 * and to ensure that the SCRIPT element closes at the expected
+				 * SCRIPT close tag as is done in {@see ::skip_script_data()}.
 				 *
-				 * It may seem like replacing `</script` with `<\/script` would
-				 * properly escape these things, but this could mask regex patterns
-				 * that previously worked. Resolve this by not sending `</script`
+				 * A SCRIPT element could be closed prematurely by contents
+				 * like `</script>`. A SCRIPT element could be prevented from
+				 * closing by contents like `<!--<script>`.
+				 *
+				 * The following strings are essential for dangerous content,
+				 * although they are insufficient on their own. This trade-off
+				 * prevents dangerous scripts from being sent to the browser.
+				 * It is also unlikely to produce HTML that may confuse more
+				 * basic HTML tooling.
 				 */
-				if ( false !== stripos( $plaintext_content, '</script' ) ) {
+				if (
+					false !== stripos( $plaintext_content, '</script' ) ||
+					false !== stripos( $plaintext_content, '<script' )
+				) {
 					return false;
 				}
 
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -490,6 +490,7 @@ public static function data_unallowed_modifiable_text_updates() {
 			'Comment with --!>'                => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
 			'SCRIPT with </script>'            => array( '<script>Replace me</script>', 'Just a </script>' ),
 			'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),
+			'SCRIPT with "<script " opener'    => array( '<script>Replace me</script>', '<!--<script ' ),
 		);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -490,6 +490,7 @@ public static function data_unallowed_modifiable_text_updates() {`
`490`	`490`	`'Comment with --!>' => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),`
`491`	`491`	`'SCRIPT with </script>' => array( '<script>Replace me</script>', 'Just a </script>' ),`
`492`	`492`	`'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),`
	`493`	`+ 'SCRIPT with "<script " opener' => array( '<script>Replace me</script>', '<!--<script ' ),`
`493`	`494`	`);`
`494`	`495`	`}`
`495`	`496`	`}`