Improve script tag test and sanitization

Author: sirreal

src/wp-includes/functions.wp-scripts.php

@@ -139,6 +139,11 @@ function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 		(
 			"\t" === $data[7] ||
 			"\n" === $data[7] ||
+			/*
+			 * \r\n and \r are normalized to \n in HTML newline normalization.
+			 * Therefore, \r always behaves like \n and terminates a tag name.
+			 */
+			"\r" === $data[7] ||
 			"\f" === $data[7] ||
 			' ' === $data[7] ||
 			'/' === $data[7] ||

src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -3831,17 +3831,15 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 *     4. One of the following characters:
 				 *        - \t
 				 *        - \n
+				 *        - \r (\r and \r\n newlines are normalized to \n in HTML pre-processing)
 				 *        - \f
 				 *        - " " (U+0020 SPACE)
 				 *        - /
 				 *        - >
 				 *
 				 * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
 				 */
-				if (
-					false !== stripos( $plaintext_content, '</script' ) ||
-					false !== stripos( $plaintext_content, '<script' )
-				) {
+				if ( preg_match( '~</?script[\t\r\n\f />]~i', $plaintext_content ) ) {
 					/*
 					 * JavaScript can be safely escaped.
 					 * Non-JavaScript script tags have unknown semantics.
@@ -3850,12 +3848,12 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					 */
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(
-							'~<(/?)(s)(cript)~i',
+							'~<(/?)(s)(cript)([\t\r\n\f />])~i',
 							static function ( $matches ) {
 								$escaped_s_char = 's' === $matches[2]
 									? '\\u0073'
 									: '\\u0053';
-								return "<{$matches[1]}{$escaped_s_char}{$matches[3]}";
+								return "<{$matches[1]}{$escaped_s_char}{$matches[3]}{$matches[4]}";
 							},
 							$plaintext_content
 						);