Merge branch 'html-api/auto-escape-javascript-json' into scripts/use-html-api-for-script-tags

sirreal · sirreal · commit 5828382b5f01 · 2025-12-19T20:10:15.000+01:00
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3814,15 +3814,16 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				/*
 				 * SCRIPT tag contents can be dangerous.
 				 *
-				 * The text `</script>` could close the SCRIPT element prematurely.
+				 * The text "</script>" could close the SCRIPT element prematurely.
 				 *
-				 * The text `<script>` could enter the "script data double escaped state", preventing the
+				 * The text "<script>" could enter the “script data double escaped state”, preventing the
 				 * SCRIPT element from closing as expected, for example:
 				 *
 				 *     <script>
-				 *     // If this "<!--" then "<script>" the closing tag will not be recognized.
+				 *       // If "<!--" and "<script>" appear like this,
+				 *       // the following `</script>` close tag will not be recognized.
 				 *     </script>
-				 *     <h1>This appears inside the preceding SCRIPT element.</h1>
+				 *     <h1>This appears _inside_ the preceding SCRIPT element.</h1>
 				 *
 				 * The relevant state transitions happen on text like:
 				 *     1. <
@@ -3844,23 +3845,63 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					false !== stripos( $plaintext_content, '<script' )
 				) {
 					/*
-					 * JavaScript can be safely escaped.
+					 * JavaScript can be safely escaped with a few exceptions. This is achieved by
+					 * replacing dangerous sequences like "<script" and "</script" with a form
+					 * using a Unicode escape sequence "<\u0073cript>" and "</\u0073cript>".
+					 *
+					 * `<script` and `</script` appear in JavaScript source code in limited places,
+					 * all of which support a Unicode escape sequence on the "s" character.
+					 * JavaScript identifiers, string literals, template literals, and RegExp
+					 * literals all support Unicode escape sequences, meaning that the escaped form
+					 * is indistinguishable from the unescaped form when the JavaScript
+					 * is evaluated.
+					 *
+					 * There are a few exceptions where the escaped form can be detected:
+					 *
+					 * - The escaped form would appear in any JavaScript comments.
+					 * - “Raw” strings via `String.raw()` or the `raw` property of the first
+					 *   argument to a tagged template literal exposes the raw form, revealing any
+					 *   escaping that has been applied.
+					 * - The `source` property of a RegExp object reveals an escaped form the of
+					 *   the pattern.
+					 *
+					 * For JavaScript that needs to avoid these issues, workarounds may
+					 * be available. For example:
+					 *
+					 *      // Instead of:
+					 *      const rawStringWillBeEscaped = String.raw`</script>`;
+					 *
+					 *      // This will yield the same result with no escaping required:
+					 *      const rawStringWillBePreserved = String.raw`</scr` + String.raw`ipt>`;
+					 *
+					 *      // After the escaping has been applied and the JavaScript evaluated,
+					 *      // these are the resulting values:
+					 *      rawStringWillBeEscaped;  // "</\\u0073cript>"
+					 *      rawStringWillBePreserve; // "</script>"
+					 *
+					 *
+					 * Escaping is applied only where strictly necessary, reducing the likelyhood
+					 * that observable differences manifest in the escaped JavaScript.
+					 *
+					 * The alternatives are to reject JavaScript that could be safely escaped in
+					 * a majority of cases or to relax restrictions in ways that produce dangerous
+					 * or broken HTML documents, neither are desirable.
 					 */
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(
 							/*
-							 * This case-insensitive pattern consists of three groups:
+							 * This case-insensitive pattern consists of three groups (in order):
 							 *
-							 * 1: "<" or "</"
-							 * 2: "s"
-							 * 3: "cript" + a trailing character that terminates a tag name.
+							 * HEAD:   "<" or "</"
+							 * S_CHAR: "s"
+							 * TAIL:   "cript" + a trailing tag name termination character
 							 */
-							'~(</?)(s)(cript[\\t\\r\\n\\f />])~i',
+							'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[\\t\\r\\n\\f />])~i',
 							static function ( $matches ) {
-								$escaped_s_char = 's' === $matches[2]
+								$escaped_s_char = 's' === $matches['S_CHAR']
 									? '\\u0073'
 									: '\\u0053';
-								return "{$matches[1]}{$escaped_s_char}{$matches[3]}";
+								return "{$matches['HEAD']}{$escaped_s_char}{$matches['TAIL']}";
 							},
 							$plaintext_content
 						);
@@ -3882,7 +3923,8 @@ static function ( $matches ) {
 						);
 					} else {
 						/*
-						 * Other types of script tags cannot be escaped safely.
+						 * Other types of script tags cannot be escaped safely because the type
+						 * of comment and escaping strategy are unknown.
 						 */
 						return false;
 					}
@@ -3948,11 +3990,14 @@ static function ( $tag_match ) {
 	 *
 	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
 	 *
-	 * @since {WP_VERSION}
+	 * @ignore
+	 * @todo Consider a public API that is clear and general.
+	 *
+	 * @since 7.0.0
 	 *
 	 * @return bool True if the script tag will be evaluated as JavaScript.
 	 */
-	public function is_javascript_script_tag(): bool {
+	private function is_javascript_script_tag(): bool {
 		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
 			return false;
 		}
@@ -4059,11 +4104,14 @@ public function is_javascript_script_tag(): bool {
 	/**
 	 * Indicates if the currently matched tag is a JSON script tag.
 	 *
-	 * @since {WP_VERSION}
+	 * @ignore
+	 * @todo Consider a public API that is clear and general.
+	 *
+	 * @since 7.0.0
 	 *
 	 * @return bool True if the script tag should be treated as JSON.
 	 */
-	public function is_json_script_tag(): bool {
+	private function is_json_script_tag(): bool {
 		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
 			return false;
 		}
@@ -4083,16 +4131,15 @@ public function is_json_script_tag(): bool {
 		 * > A JSON MIME type is any MIME type whose subtype ends in "+json" or whose essence
 		 * > is "application/json" or "text/json".
 		 *
-		 * The JSON subtype ending in "+json" is not currently handled due to lack
-		 * of a MIME type parser.
+		 * @todo The JSON MIME type handling handles some common cases but when MIME type parsing is available it should be leveraged here.
 		 *
 		 * @see https://mimesniff.spec.whatwg.org/#json-mime-type
 		 */
 		if (
-			'application/json' === $type
-			|| 'importmap' === $type
-			|| 'speculationrules' === $type
-			|| 'text/json' === $type
+			'importmap' === $type ||
+			'speculationrules' === $type ||
+			'application/json' === $type ||
+			'text/json' === $type
 		) {
 			return true;
 		}
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -544,7 +544,7 @@ public static function data_script_tag_text_updates(): array {
 	 * @ticket 64419
 	 */
 	public function test_complex_javascript_and_json_auto_escaping() {
-		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<h1>OK</h1>" );
+		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<hr>" );
 		$processor->next_tag( 'SCRIPT' );
 		$processor->set_attribute( 'type', 'importmap' );
 		$importmap_data = array(
@@ -558,27 +558,27 @@ public function test_complex_javascript_and_json_auto_escaping() {
 			JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS
 		);
 
-		$processor->set_modifiable_text( $importmap );
+		$processor->set_modifiable_text( "\n{$importmap}\n" );
 		$decoded_importmap = json_decode( $processor->get_modifiable_text(), true );
-		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
-		$this->assertEquals(
-			$importmap_data,
-			$decoded_importmap,
-			'Precondition failed: importmap JSON did not decode/encode as expected: ' . json_last_error_msg()
-		);
-
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode correctly.' );
+		$this->assertEquals( $importmap_data, $decoded_importmap );
 		$processor->next_tag( 'SCRIPT' );
 		$processor->set_attribute( 'type', 'module' );
 		$javascript = <<<'JS'
 import '</SCRIPT>\\<!--\\<script>';
 JS;
-		$processor->set_modifiable_text( $javascript );
+		$processor->set_modifiable_text( "\n{$javascript}\n" );
 
-		$expected     = <<<'HTML'
-<script type="importmap">{"imports":{"\u003C/SCRIPT>\\\u003C!--\\\u003Cscript>":"./script"}}</script>
-<script type="module">import '</\u0053CRIPT>\\<!--\\<\u0073cript>';</script>
-<h1>OK</h1>
+		$expected = <<<'HTML'
+<script type="importmap">
+{"imports":{"\u003C/SCRIPT>\\\u003C!--\\\u003Cscript>":"./script"}}
+</script>
+<script type="module">
+import '</\u0053CRIPT>\\<!--\\<\u0073cript>';
+</script>
+<hr>
 HTML;
+
 		$updated_html = $processor->get_updated_html();
 		$this->assertEqualHTML( $expected, $updated_html );
 
@@ -588,11 +588,11 @@ public function test_complex_javascript_and_json_auto_escaping() {
 		$this->assertSame( 'importmap', $processor->get_attribute( 'type' ) );
 		$importmap_json    = $processor->get_modifiable_text();
 		$decoded_importmap = json_decode( $importmap_json, true );
-		$this->assertSame( 'No error', json_last_error_msg() );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Importmap JSON failed to decode.' );
 		$this->assertEquals(
 			$importmap_data,
 			$decoded_importmap,
-			'Precondition failed: re-processed importmap JSON did not decode/encode as expected: ' . json_last_error_msg()
+			'JSON was not equal after re-processing updated HTML.'
 		);
 	}
 
@@ -603,21 +603,23 @@ public function test_json_auto_escaping() {
 		// This is not a typical JSON encoding or escaping, but it is valid.
 		$json_text             = '"Escaped BS: \\\\; Escaped BS+LT: \\\\<; Unescaped LT: <; Script closer: </script>"';
 		$expected_decoded_json = 'Escaped BS: \\; Escaped BS+LT: \\<; Unescaped LT: <; Script closer: </script>';
-		$decoded_json          = json_decode( $json_text, true );
-		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
+		$decoded_json          = json_decode( $json_text );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );
 		$this->assertSame(
 			$expected_decoded_json,
 			$decoded_json,
-			'Precondition failed: test JSON text did not decode as expected.'
+			'Decoded JSON did not match expected value.'
 		);
 
 		$processor = new WP_HTML_Tag_Processor( '<script type="application/json"></script>' );
 		$processor->next_tag( 'SCRIPT' );
 
-		$processor->set_modifiable_text( $json_text );
+		$processor->set_modifiable_text( "\n{$json_text}\n" );
 
 		$expected = <<<'HTML'
-<script type="application/json">"Escaped BS: \\; Escaped BS+LT: \\\u003C; Unescaped LT: \u003C; Script closer: \u003C/script>"</script>
+<script type="application/json">
+"Escaped BS: \\; Escaped BS+LT: \\\u003C; Unescaped LT: \u003C; Script closer: \u003C/script>"
+</script>
 HTML;
 
 		$updated_html = $processor->get_updated_html();
@@ -627,7 +629,7 @@ public function test_json_auto_escaping() {
 		$processor = new WP_HTML_Tag_Processor( $expected );
 		$processor->next_tag( 'SCRIPT' );
 		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true );
-		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );
 		$this->assertEquals(
 			$expected_decoded_json,
 			$decoded_json_from_html
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -23,9 +23,13 @@ class Tests_HtmlApi_WpHtmlTagProcessorScriptTag extends WP_UnitTestCase {
 	public function test_is_javascript_script_tag( string $html, bool $expected_result ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$processor->next_tag();
+
+		$result = ( function () {
+			return $this->is_javascript_script_tag();
+		} )->call( $processor );
 		$this->assertSame(
 			$expected_result,
-			$processor->is_javascript_script_tag(),
+			$result,
 			'Failed to correctly identify JavaScript script tag'
 		);
 	}
@@ -98,6 +102,9 @@ public static function data_is_javascript_script_tag(): array {
 			'Script tag with language="jscript"'         => array( '<script language="jscript"></script>', true ),
 			'Script tag with language="livescript"'      => array( '<script language="livescript"></script>', true ),
 
+			// Whitespace is not trimmed in the langauge attribute.
+			'Script tag with language=" javascript"'     => array( '<script language=" javascript"></script>', false ),
+
 			// Non-JavaScript script tags - should NOT be JavaScript.
 			'Script tag with importmap type'             => array( '<script type="importmap"></script>', false ),
 			'Script tag with speculationrules type'      => array( '<script type="speculationrules"></script>', false ),
@@ -122,9 +129,11 @@ public static function data_is_javascript_script_tag(): array {
 	public function test_is_javascript_script_tag_returns_false_before_finding_tags() {
 		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
 		$processor->next_token();
-
+		$result = ( function () {
+			return $this->is_javascript_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_javascript_script_tag(),
+			$result,
 			'Should return false when not stopped on script tag'
 		);
 	}
@@ -137,8 +146,13 @@ public function test_is_javascript_script_tag_returns_false_before_finding_tags(
 	public function test_is_javascript_script_tag_returns_false_for_non_html_namespace() {
 		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
 		$processor->change_parsing_namespace( 'svg' );
+		$processor->next_tag();
+		$this->assertSame( 'SCRIPT', $processor->get_tag() );
+		$result = ( function () {
+			return $this->is_javascript_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_javascript_script_tag(),
+			$result,
 			'Should return false for script tags in non-HTML namespace'
 		);
 	}
@@ -156,9 +170,12 @@ public function test_is_javascript_script_tag_returns_false_for_non_html_namespa
 	public function test_is_json_script_tag( string $html, bool $expected_result ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$processor->next_tag();
+		$result = ( function () {
+			return $this->is_json_script_tag();
+		} )->call( $processor );
 		$this->assertSame(
 			$expected_result,
-			$processor->is_json_script_tag(),
+			$result,
 			'Failed to correctly identify JSON script tag'
 		);
 	}
@@ -222,8 +239,11 @@ public static function data_is_json_script_tag(): array {
 	public function test_is_json_script_tag_returns_false_before_finding_tags() {
 		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
 		$processor->next_token();
+		$result = ( function () {
+			return $this->is_json_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_json_script_tag(),
+			$result,
 			'Should return false when not stopped on script tag'
 		);
 	}
@@ -237,8 +257,12 @@ public function test_is_json_script_tag_returns_false_for_non_html_namespace() {
 		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
 		$processor->change_parsing_namespace( 'svg' );
 		$processor->next_tag();
+		$this->assertSame( 'SCRIPT', $processor->get_tag() );
+		$result = ( function () {
+			return $this->is_json_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_json_script_tag(),
+			$result,
 			'Should return false for script tags in non-HTML namespace'
 		);
 	}
