[wp-trac] [WordPress Trac] #62797: wp_add_inline_script does not properly escape '<!-- <script>' in contents
WordPress Trac
noreply at wordpress.org
Thu Jan 9 16:58:47 UTC 2025
#62797: wp_add_inline_script does not properly escape '<!-- <script>' in contents
--------------------------+-----------------------------
Reporter: artpi | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version: 6.7.1
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I am adding this issue in the "Editor" because this is how it's easiest to
reproduce and how I stumbled onto it, but it is possible to replace the
issue outside of editor context.
**Reproduction path**
1. Start writing a post in Gutenberg
2. Enter code editor
3. Paste following code
{{{
<p><!-- <script> </p>
</p>
}}}
4. Save
5. Exit code editor into block editor
6. Reload the page
7. Observe the editor crash and burn
Here is video of a reproduction on a fresh site:
[https://screen.studio/share/ELc9d6zJ]
**What is going on?**
`block_editor_rest_api_preload` is using wp_add_inline_script to preload
the currently edited block content into the page
https://github.com/WordPress/WordPress/blob/0086f4ba4080285c90c08854a5d085c76b6d5109
/wp-includes/block-editor.php#L767
Because the <script> tag is hidden in an comment that has not been
properly terminated, it is impossible to get out of the script tag now,
and nothing gets rendered afterwards.
Tested up to WordPress version `6.7.1`
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62797>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list