Add test for unclosed script tag

sirreal · sirreal · commit 353fa40c01ee · 2025-07-30T10:02:29.000+02:00
diff --git a/tests/phpunit/tests/blocks/editor.php b/tests/phpunit/tests/blocks/editor.php
@@ -9,7 +9,6 @@
  * @group blocks
  */
 class Tests_Blocks_Editor extends WP_UnitTestCase {
-
 	/**
 	 * Sets up each test method.
 	 */
@@ -631,8 +630,8 @@ function filter_add_preload_paths( $preload_paths, WP_Block_Editor_Context $cont
 
 		$after = implode( '', wp_scripts()->registered['wp-api-fetch']->extra['after'] );
 		$this->assertStringContainsString( 'wp.apiFetch.createPreloadingMiddleware', $after );
-		$this->assertStringContainsString( '"\/wp\/v2\/blocks"', $after );
-		$this->assertStringContainsString( '"\/wp\/v2\/types"', $after );
+		$this->assertStringContainsString( '"/wp/v2/blocks"', $after );
+		$this->assertStringContainsString( '"/wp/v2/types"', $after );
 	}
 
 	/**
@@ -697,28 +696,75 @@ public function data_block_editor_rest_api_preload_adds_missing_leading_slash()
 		return array(
 			'a string without a slash'               => array(
 				'preload_paths' => array( 'wp/v2/blocks' ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'a string with a slash'                  => array(
 				'preload_paths' => array( '/wp/v2/blocks' ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'a string starting with a question mark' => array(
 				'preload_paths' => array( '?context=edit' ),
 				'expected'      => '/?context=edit',
 			),
 			'an array with a string without a slash' => array(
 				'preload_paths' => array( array( 'wp/v2/blocks', 'OPTIONS' ) ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'an array with a string with a slash'    => array(
 				'preload_paths' => array( array( '/wp/v2/blocks', 'OPTIONS' ) ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'an array with a string starting with a question mark' => array(
 				'preload_paths' => array( array( '?context=edit', 'OPTIONS' ) ),
-				'expected'      => '\/?context=edit',
+				'expected'      => '/?context=edit',
 			),
 		);
 	}
+
+	/**
+	 * @ticket 62797
+	 *
+	 * @covers ::block_editor_rest_api_preload
+	 *
+	 * Some valid JSON-encoded data is dangerous to embed in HTML without appropriate
+	 * escaping. This test includes prints an example of such data that would prevent
+	 * the enclosing `<script>` from closing on its apparent closer and remain open.
+	 */
+	public function test_ensure_preload_data_script_tag_closes() {
+		add_theme_support( 'html5', array( 'script' ) );
+		register_rest_route(
+			'test/v0',
+			'test-62797',
+			array(
+				'methods'             => 'GET',
+				'callback'            => function () {
+					return '<!-- unclosed comment and a script tag <script></script>';
+				},
+				'permission_callback' => '__return_true',
+			)
+		);
+
+		// Prevent a bunch of noisy or unstable data from being included in the test output.
+		wp_scripts()->registered['wp-api-fetch']->ver            = 'test';
+		wp_scripts()->registered['wp-api-fetch']->extra['after'] = array();
+
+		block_editor_rest_api_preload(
+			array( '/test/v0/test-62797' ),
+			new WP_Block_Editor_Context()
+		);
+
+		ob_start();
+		wp_scripts()->do_item( 'wp-api-fetch' );
+		$output = ob_get_clean();
+
+		$baseurl  = site_url();
+		$expected = <<<HTML
+<script src="{$baseurl}/wp-includes/js/dist/api-fetch.min.js?ver=test" id="wp-api-fetch-js"></script>
+<script id="wp-api-fetch-js-after">
+wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( {"/test/v0/test-62797":{"body":["\\u003C!-- unclosed comment and a script tag \\u003Cscript\\u003E\\u003C/script\\u003E"],"headers":{"Allow":"GET"}}} ) );
+</script>
+
+HTML;
+		$this->assertEqualHTML( $expected, $output );
+	}
 }
