HTML API: Reduce skip_script_data length checks

src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -1496,13 +1496,48 @@ private function skip_script_data(): bool {
 		while ( false !== $at && $at < $doc_length ) {
 			$at += strcspn( $html, '-<', $at );
 
+			/*
+			 * Optimization: Terminating a complete script element requires at least eight
+			 * additional bytes in the document. Some checks below may cause local escaped
+			 * state transitions when processing shorter strings, but those transitions are
+			 * irrelevant if the script tag is incomplete and the function must return false.
+			 *
+			 * This may need updating if those transitions become significant or exported from
+			 * this function in some way, such as when building safe methods to embed JavaScript
+			 * or data inside a SCRIPT element.
+			 *
+			 *     $at may be here.
+			 *        ↓
+			 *     ...</script>
+			 *         ╰──┬───╯
+			 *     $at + 8 additional bytes are required for a non-false return value.
+			 *
+			 * This single check eliminates the need to check lengths for the shorter spans:
+			 *
+			 *           $at may be here.
+			 *                  ↓
+			 *     <script><!-- --></script>
+			 *                   ├╯
+			 *             $at + 2 additional characters does not require a length check.
+			 *
+			 * The transition from "escaped" to "unescaped" is not relevant if the document ends:
+			 *
+			 *           $at may be here.
+			 *                  ↓
+			 *     <script><!-- -->[[END-OF-DOCUMENT]]
+			 *                   ╰──┬───╯
+			 *             $at + 8 additional bytes is not satisfied, return false.
+			 */
+			if ( $at + 8 >= $doc_length ) {
+				return false;
+			}
+
 			/*
 			 * For all script states a "-->"  transitions
 			 * back into the normal unescaped script mode,
 			 * even if that's the current state.
 			 */
 			if (
-				$at + 2 < $doc_length &&
 				'-' === $html[ $at ] &&
 				'-' === $html[ $at + 1 ] &&
 				'>' === $html[ $at + 2 ]
@@ -1512,10 +1547,6 @@ private function skip_script_data(): bool {
 				continue;
 			}
 
-			if ( $at + 1 >= $doc_length ) {
-				return false;
-			}
-
 			/*
 			 * Everything of interest past here starts with "<".
 			 * Check this character and advance position regardless.
@@ -1537,7 +1568,6 @@ private function skip_script_data(): bool {
 			 * parsing after updating the state.
 			 */
 			if (
-				$at + 2 < $doc_length &&
 				'!' === $html[ $at ] &&
 				'-' === $html[ $at + 1 ] &&
 				'-' === $html[ $at + 2 ]
@@ -1561,7 +1591,6 @@ private function skip_script_data(): bool {
 			 * proceed scanning to the next potential token in the text.
 			 */
 			if ( ! (
-				$at + 6 < $doc_length &&
 				( 's' === $html[ $at ] || 'S' === $html[ $at ] ) &&
 				( 'c' === $html[ $at + 1 ] || 'C' === $html[ $at + 1 ] ) &&
 				( 'r' === $html[ $at + 2 ] || 'R' === $html[ $at + 2 ] ) &&
@@ -1579,9 +1608,6 @@ private function skip_script_data(): bool {
 			 * "<script123" should not end a script region even though
 			 * "<script" is found within the text.
 			 */
-			if ( $at + 6 >= $doc_length ) {
-				continue;
-			}
 			$at += 6;
 			$c   = $html[ $at ];
 			if ( ' ' !== $c && "\t" !== $c && "\r" !== $c && "\n" !== $c && '/' !== $c && '>' !== $c ) {
@@ -1611,8 +1637,6 @@ private function skip_script_data(): bool {
 				}
 
 				if ( $this->bytes_already_parsed >= $doc_length ) {
-					$this->parser_state = self::STATE_INCOMPLETE_INPUT;
-
 					return false;
 				}
 

tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

@@ -1981,6 +1981,49 @@ public static function data_next_tag_ignores_script_tag_contents() {
 		);
 	}
 
+	/**
+	 * Test that script tags are parsed correctly.
+	 *
+	 * Script tag parsing is very complicated, see the following resources for more details:
+	 *
+	 * - https://html.spec.whatwg.org/multipage/parsing.html#script-data-state
+	 * - https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+	 *
+	 * @ticket 63738
+	 *
+	 * @dataProvider data_script_tag
+	 */
+	public function test_script_tag_parsing( string $input, bool $closes ) {
+		$processor = new WP_HTML_Tag_Processor( $input );
+
+		if ( $closes ) {
+			$this->assertTrue( $processor->next_token(), 'Expected to find complete script tag.' );
+			$this->assertSame( 'SCRIPT', $processor->get_tag() );
+			return;
+		}
+
+		$this->assertFalse( $processor->next_token(), 'Expected to fail next_token().' );
+		$this->assertTrue( $processor->paused_at_incomplete_token(), 'Expected an incomplete SCRIPT tag token.' );
+	}
+
+	/**
+	 * Data provider.
+	 */
+	public static function data_script_tag(): array {
+		return array(
+			'Basic script tag'                          => array( '<script></script>', true ),
+			'Script with type attribute'                => array( '<script type="text/javascript"></script>', true ),
+			'Script data escaped'                       => array( '<script><!--</script>', true ),
+			'Script data double-escaped exit (comment)' => array( '<script><!--<script>--></script>', true ),
+			'Script data double-escaped exit (closed)'  => array( '<script><!--<script></script></script>', true ),
+			'Script data double-escaped exit (closed/truncated)' => array( '<script><!--<script></script </script>', true ),
+			'Script data no double-escape'              => array( '<script><!-- --><script></script>', true ),
+
+			'Script tag with self-close flag (ignored)' => array( '<script />', false ),
+			'Script data double-escaped'                => array( '<script><!--<script></script>', false ),
+		);
+	}
+
 	/**
 	 * Invalid tag names are comments on tag closers.
 	 *