HTML API: Improve script tag escape state processing #9397
Conversation
The parser state is managed externally and should not be changed in skip_script_data
…-api/ensure-script-data-states-parse-correctly
This reverts commit d0cbb00.
<!--> and <!---> do not enter the escaped state.
HTML like:
<script><!--<script</script>🎉
Would not encounter the closing script tag
sirreal
changed the title
There was a problem hiding this comment.
Pull Request Overview
This pull request fixes HTML API script tag parsing by correcting two edge cases in script content state transitions. The fixes ensure proper handling of abruptly closed comments and prevent incorrect position advancement when checking for script tag transitions.
- Fixed handling of abruptly closed comment sequences like
<!---->that should remain in unescaped state - Corrected position advancement when checking for script tag transitions to prevent skipping close tags
- Added comprehensive test coverage for various script tag parsing scenarios
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/wp-includes/html-api/class-wp-html-tag-processor.php | Core logic fixes for script tag parsing state transitions and position handling |
| tests/phpunit/tests/html-api/wpHtmlTagProcessor.php | Added comprehensive test cases covering various script tag parsing scenarios |
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
Co-authored-by: Copilot <[email protected]>
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
| @@ -1537,13 +1559,29 @@ private function skip_script_data(): bool { | |||
| * parsing after updating the state. | |||
There was a problem hiding this comment.
Do these changes interact with the existing comment? Did we get this comment wrong the first time? Did you review the comment above for updates?
There was a problem hiding this comment.
The comment isn't wrong, although I don't understand exactly what the last paragraph is trying to say. I've pushed a change to clarify and simplify it.
There was a problem hiding this comment.
I’ve run some tests with coverage to confirm the changes in behavior.
With the new tests from this PR, but the code in trunk, we have two test failures:
Coverage here matches the existing coverage in trunk.
 This one never matched, which I guess is expected with the change here. |  |
| `trunk` tests with `trunk` code show the same non-tested coverage. | |
|---|---|
 | |
| New tests, new code | |
For now this is mostly an observation. I think the untested lines of code bothered me before but I didn’t know why we weren’t hitting them. I think what you discovered as this optimization on the string length is part of the explanation. | |
|
Good reminder on the coverage reports. I've added more tests and all the lines in wordpress-develop/src/wp-includes/html-api/class-wp-html-tag-processor.php Lines 1631 to 1633 in 057f585 I think that it's impossible to hit now (after [60617] / #9230). It may always have been impossible. However, I don't mind leaving that check even if it's redundant. I believe the condition would be hit on inputs like wordpress-develop/src/wp-includes/html-api/class-wp-html-tag-processor.php Lines 1531 to 1533 in 057f585 |
sirreal
requested review from
dmsnell and
Copilot
and removed request for
Copilot
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
|
Is it possible to have Copilot not pollute the PR with its comments? Can it not run locally, or at least leave comments as the result of some command you run? or is it only designed to run from the Github interface and leave erroneous comments? |
There was a problem hiding this comment.
It took me a while but I manually recreated the entire SCRIPT state machine in dot and then piece-meal minimized it until I had this.
Then I verified the code paths in the old and new skip_script_data() and found that the old one has the mistakes while the new one matches the diagram.
Finally I reviewed your blog post and found that our state machines are equivalent, though you show more directly that in double escaped mode there is no need to complete the SCRIPT tag.
On that note, the way I read your diagram, the </script transitions into Close SCRIPT tag are misleading, because the only exit out of the element is a complete closing tag whose name is SCRIPT. This means that if you encounter </script- in those places, we stay in script data or in script data escaped.
The code is correct, and it’s easy to argue the diagram is correct, but I found that slightly confusing. It’s also why I chose names for my diagram instead of literals, because the outbound closing tag might contain attributes and unwanted self-closing flags.
Thanks for your patience and for adding the tests. These are good finds. The rules for consuming vs. reconsuming are easy to overlook.
|
Thanks for diving in and doing your own investigation, I'm happy to have my research confirmed ❤️ The blog post we're referencing is available here: Safe JSON in script tags: How not to break a site
That's a good point, it was a bit ambiguous. I alluded to the trailing character in a foot note but it wasn't sufficiently clear. I added a note after the diagram to help clarify because this is an important point. |
|
It’s fine to keep these separate, but would we want to combine this with #9402? Maybe merge it into here? This is mostly about accounting and not about code. |
✅ (merged to trunk)
This includes #9230 (merged here).Trac ticket: https://core.trac.wordpress.org/ticket/63738
Address two small HTML API mis-parses of script contents.
In this case, the parser switched from unescaped to escaped on a sequence like
<!-->. This abruptly closed empty comment does not transition to escaped, but remains in the unescaped state.In the example, the double-escaped state should not be reached on
<script>(because the processor should not be in the escaped state) and the script tag should close correctly at</script>.before / after
In this case
<script<is correctly recognized as not a sequence that should transition from escaped to double-escaped, however it incorrectly advances beyond the following<character that starts the script close tag and does not close correctly at</script>.before / after
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.