@@ -3811,23 +3811,32 @@ public function set_modifiable_text( string $plaintext_content ): bool {
38113811
38123812 switch ( $ this get_tag () ) {
38133813 case 'SCRIPT ' :
3814- /**
3815- * This is over-protective, but ensures the update doesn't break
3816- * the HTML structure of the SCRIPT element.
3814+ /*
3815+ * SCRIPT tag contents can be dangerous.
3816+ *
3817+ * The text `</script>` could close the SCRIPT element prematurely.
3818+ *
3819+ * The text `<script>` could enter the "script data double escaped state", preventing the
3820+ * SCRIPT element from closing as expected, for example:
38173821 *
3818- * More thorough analysis could track the HTML tokenizer states
3819- * and to ensure that the SCRIPT element closes at the expected
3820- * SCRIPT close tag as is done in {@see ::skip_script_data()}.
3822+ * <script>
3823+ * // If this "<!--" then "<script>" the closing tag will not be recognized.
3824+ * </script>
3825+ * <h1>This appears inside the preceding SCRIPT element.</h1>
38213826 *
3822- * A SCRIPT element could be closed prematurely by contents
3823- * like `</script>`. A SCRIPT element could be prevented from
3824- * closing by contents like `<!--<script>`.
3827+ * The relevant state transitions happen on text like:
3828+ * 1. <
3829+ * 2. / (optional)
3830+ * 3. script (case-insensitive)
3831+ * 4. One of the following characters:
3832+ * - \t
3833+ * - \n
3834+ * - \f
3835+ * - " " (U+0020 SPACE)
3836+ * - /
3837+ * - >
38253838 *
3826- * The following strings are essential for dangerous content,
3827- * although they are insufficient on their own. This trade-off
3828- * prevents dangerous scripts from being sent to the browser.
3829- * It is also unlikely to produce HTML that may confuse more
3830- * basic HTML tooling.
3839+ * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
38313840 */
38323841 if (
38333842 false !== stripos ( $ plaintext_content'</script ' ) ||
0 commit comments