From 4a8ca98fc72ed28ec00693a56efe35833c70f751 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 15 Dec 2025 20:03:45 +0100
Subject: [PATCH 01/60] Auto-escape JavaScript and JSON script tags when
 necessary

---
 .../html-api/class-wp-html-tag-processor.php  | 245 ++++++++++++++++--
 .../wpHtmlTagProcessorModifiableText.php      | 149 ++++++++++-
 2 files changed, 373 insertions(+), 21 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 31c4bc8a10654..1f2a4a3dc62ac 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3811,29 +3811,83 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
-				/**
-				 * This is over-protective, but ensures the update doesn't break
-				 * the HTML structure of the SCRIPT element.
+				/*
+				 * SCRIPT tag contents can be dangerous.
+				 *
+				 * The text `</script>` could close the SCRIPT element prematurely.
 				 *
-				 * More thorough analysis could track the HTML tokenizer states
-				 * and to ensure that the SCRIPT element closes at the expected
-				 * SCRIPT close tag as is done in {@see ::skip_script_data()}.
+				 * The text `<script>` could enter the "script data double escaped state", preventing the
+				 * SCRIPT element from closing as expected, for example:
 				 *
-				 * A SCRIPT element could be closed prematurely by contents
-				 * like `</script>`. A SCRIPT element could be prevented from
-				 * closing by contents like `<!--<script>`.
+				 *     <script>
+				 *     // If this "<!--" then "<script>" the closing tag will not be recognized.
+				 *     </script>
+				 *     <h1>This appears inside the preceding SCRIPT element.</h1>
 				 *
-				 * The following strings are essential for dangerous content,
-				 * although they are insufficient on their own. This trade-off
-				 * prevents dangerous scripts from being sent to the browser.
-				 * It is also unlikely to produce HTML that may confuse more
-				 * basic HTML tooling.
+				 * The relevant state transitions happen on text like:
+				 *     1. <
+				 *     2. / (optional)
+				 *     3. script (case-insensitive)
+				 *     4. One of the following characters:
+				 *        - \t
+				 *        - \n
+				 *        - \r (\r and \r\n newlines are normalized to \n in HTML pre-processing)
+				 *        - \f
+				 *        - " " (U+0020 SPACE)
+				 *        - /
+				 *        - >
+				 *
+				 * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
 				 */
 				if (
 					false !== stripos( $plaintext_content, '</script' ) ||
 					false !== stripos( $plaintext_content, '<script' )
 				) {
-					return false;
+					/*
+					 * JavaScript can be safely escaped.
+					 */
+					if ( $this->is_javascript_script_tag() ) {
+						$plaintext_content = preg_replace_callback(
+							/*
+							 * This case-insensitive pattern consists of three groups:
+							 *
+							 * 1: "<" or "</"
+							 * 2: "s"
+							 * 3: "cript" + a trailing character that terminates a tag name.
+							 */
+							'~(</?)(s)(cript[\\t\\r\\n\\f />])~i',
+							static function ( $matches ) {
+								$escaped_s_char = 's' === $matches[2]
+									? '\\u0073'
+									: '\\u0053';
+								return "{$matches[1]}{$escaped_s_char}{$matches[3]}";
+							},
+							$plaintext_content
+						);
+					} elseif ( $this->is_json_script_tag() ) {
+						/**
+						 * JSON can be safely escaped.
+						 *
+						 * The following replacement may appear insuficcient, "<" is replaced
+						 * with its JSON escape sequence "\u003C" without considering whether
+						 * the "<" is preceded by an escaping slash. JSON does not support
+						 * arbitrary character escaping (like JavaScript strings) so "\<"
+						 * is invalid JSON and would have to be preceded by
+						 * an escaped backslash: "\\<".
+						 *
+						 * @see https://www.json.org/json-en.html
+						 */
+
+						$plaintext_content = strtr(
+							$plaintext_content,
+							array( '<' => '\\u003C' )
+						);
+					} else {
+						/*
+						 * Other types of script tags cannot be escaped safely.
+						 */
+						return false;
+					}
 				}
 
 				$this->lexical_updates['modifiable text'] = new WP_HTML_Text_Replacement(
@@ -3891,6 +3945,167 @@ static function ( $tag_match ) {
 		return false;
 	}
 
+	/**
+	 * Indicates if the currently matched tag is a JavaScript script tag.
+	 *
+	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
+	 *
+	 * @since {WP_VERSION}
+	 *
+	 * @return bool True if the script tag will be evaluated as JavaScript.
+	 */
+	public function is_javascript_script_tag(): bool {
+		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
+			return false;
+		}
+
+		/*
+		 * > If any of the following are true:
+		 * >   - el has a type attribute whose value is the empty string;
+		 * >   - el has no type attribute but it has a language attribute and that attribute's
+		 * >     value is the empty string; or
+		 * >   - el has neither a type attribute nor a language attribute,
+		 * > then let the script block's type string for this script element be "text/javascript".
+		 */
+		$type_attr     = $this->get_attribute( 'type' );
+		$language_attr = $this->get_attribute( 'language' );
+
+		if ( true === $type_attr || '' === $type_attr ) {
+			return true;
+		}
+		if (
+			null === $type_attr && (
+				true === $language_attr ||
+				'' === $language_attr ||
+				null === $language_attr
+			)
+		) {
+			return true;
+		}
+
+		/*
+		 * > Otherwise, if el has a type attribute, then let the script block's type string be
+		 * > the value of that attribute with leading and trailing ASCII whitespace stripped.
+		 * > Otherwise, el has a non-empty language attribute; let the script block's type string
+		 * > be the concatenation of "text/" and the value of el's language attribute.
+		 */
+		$type_string = $type_attr ? trim( $type_attr, " \t\f\r\n" ) : "text/{$language_attr}";
+
+		/*
+		 * > If the script block's type string is a JavaScript MIME type essence match, then
+		 * > set el's type to "classic".
+		 *
+		 * > A string is a JavaScript MIME type essence match if it is an ASCII case-insensitive
+		 * > match for one of the JavaScript MIME type essence strings.
+		 *
+		 * > A JavaScript MIME type is any MIME type whose essence is one of the following:
+		 * >
+		 * > - application/ecmascript
+		 * > - application/javascript
+		 * > - application/x-ecmascript
+		 * > - application/x-javascript
+		 * > - text/ecmascript
+		 * > - text/javascript
+		 * > - text/javascript1.0
+		 * > - text/javascript1.1
+		 * > - text/javascript1.2
+		 * > - text/javascript1.3
+		 * > - text/javascript1.4
+		 * > - text/javascript1.5
+		 * > - text/jscript
+		 * > - text/livescript
+		 * > - text/x-ecmascript
+		 * > - text/x-javascript
+		 *
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type-essence-match
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type
+		 */
+		switch ( strtolower( $type_string ) ) {
+			case 'application/ecmascript':
+			case 'application/javascript':
+			case 'application/x-ecmascript':
+			case 'application/x-javascript':
+			case 'text/ecmascript':
+			case 'text/javascript':
+			case 'text/javascript1.0':
+			case 'text/javascript1.1':
+			case 'text/javascript1.2':
+			case 'text/javascript1.3':
+			case 'text/javascript1.4':
+			case 'text/javascript1.5':
+			case 'text/jscript':
+			case 'text/livescript':
+			case 'text/x-ecmascript':
+			case 'text/x-javascript':
+				return true;
+
+			/*
+			 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for
+			 * > the string "module", then set el's type to "module".
+			 *
+			 * A module is evaluated as JavaScript.
+			 */
+			case 'module':
+				return true;
+		}
+
+		/*
+		 * > - Otherwise, if the script block's type string is an ASCII case-insensitive match for
+		 * >   the string "importmap", then set el's type to "importmap".
+		 *
+		 * An importmap is JSON and not evaluated as JavaScript. This case is not handled here.
+		 */
+
+		/*
+		 * > Otherwise, return. (No script is executed, and el's type is left as null.)
+		 */
+		return false;
+	}
+
+	/**
+	 * Indicates if the currently matched tag is a JSON script tag.
+	 *
+	 * @since {WP_VERSION}
+	 *
+	 * @return bool True if the script tag should be treated as JSON.
+	 */
+	public function is_json_script_tag(): bool {
+		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
+			return false;
+		}
+
+		$type_attr = $this->get_attribute( 'type' );
+
+		if ( empty( $type_attr ) || true === $type_attr ) {
+			return false;
+		}
+
+		$type_string = strtolower( trim( $type_attr, " \t\f\r\n" ) );
+
+		/*
+		 * > …
+		 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "importmap", then set el's type to "importmap".
+		 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "speculationrules", then set el's type to "speculationrules".
+		 * @see https://html.spec.whatwg.org/#script-processing-model
+		 *
+		 * > A JSON MIME type is any MIME type whose subtype ends in "+json" or whose essence
+		 * > is "application/json" or "text/json".
+		 *
+		 * @see https://mimesniff.spec.whatwg.org/#json-mime-type
+		 */
+		if (
+			'application/json' === $type_string
+			|| 'importmap' === $type_string
+			|| 'speculationrules' === $type_string
+			|| 'text/json' === $type_string
+			|| str_ends_with( $type_string, '+json' )
+		) {
+			return true;
+		}
+
+		return false;
+	}
+
 	/**
 	 * Updates or creates a new attribute on the currently matched tag with the passed value.
 	 *
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 66f9e67f5c8ed..7f6dc469fa2d9 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -448,13 +448,14 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
 	 * the structure of the containing element, such as in a script or comment.
 	 *
 	 * @ticket 61617
+	 * @ticket 62797
 	 *
 	 * @dataProvider data_unallowed_modifiable_text_updates
 	 *
 	 * @param string $html_with_nonempty_modifiable_text Will be used to find the test element.
 	 * @param string $invalid_update                     Update containing possibly-compromising text.
 	 */
-	public function test_rejects_updates_with_unallowed_substrings( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
+	public function test_rejects_dangerous_updates( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
 		$processor = new WP_HTML_Tag_Processor( $html_with_nonempty_modifiable_text );
 
 		while ( '' === $processor->get_modifiable_text() && $processor->next_token() ) {
@@ -486,11 +487,147 @@ public function test_rejects_updates_with_unallowed_substrings( string $html_wit
 	 */
 	public static function data_unallowed_modifiable_text_updates() {
 		return array(
-			'Comment with -->'                 => array( '<!-- this is a comment -->', 'Comments end in -->' ),
-			'Comment with --!>'                => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
-			'SCRIPT with </script>'            => array( '<script>Replace me</script>', 'Just a </script>' ),
-			'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),
-			'SCRIPT with "<script " opener'    => array( '<script>Replace me</script>', '<!--<script ' ),
+			'Comment with -->'                        => array( '<!-- this is a comment -->', 'Comments end in -->' ),
+			'Comment with --!>'                       => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
+			'Non-JS SCRIPT with <script>'             => array( '<script type="text/html">Replace me</script>', '<!-- Just a <script>' ),
+			'Non-JS SCRIPT with </script>'            => array( '<script type="text/html">Replace me</script>', 'Just a </script>' ),
+			'Non-JS SCRIPT with <script attributes>'  => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
+			'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
+		);
+	}
+
+	/**
+	 * Ensures that JavaScript script tag contents are safely updated.
+	 *
+	 * @ticket 62797
+	 *
+	 * @dataProvider data_script_tag_text_updates
+	 *
+	 * @param string $html     HTML containing a SCRIPT tag to be modified.
+	 * @param string $update   Update containing possibly-compromising text.
+	 * @param string $expected Expected result.
+	 */
+	public function test_safely_updates_script_tag_contents( string $html, string $update, string $expected ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
+		$this->assertTrue( $processor->set_modifiable_text( $update ) );
+		$this->assertSame( $expected, $processor->get_updated_html() );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public static function data_script_tag_text_updates(): array {
+		return array(
+			'Simple update'                         => array( '<script></script>', '{}', '<script>{}</script>' ),
+			'Needs no replacement'                  => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
+			'var script;1<script>0'                 => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
+			'1</script>/'                           => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
+			'var SCRIPT;1<SCRIPT>0'                 => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
+			'1</SCRIPT>/'                           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
+			'"</script>"'                           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
+			'"</ScRiPt>"'                           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
+			'Tricky script open tag with \r'        => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ),
+			'Tricky script open tag with \r\n'      => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ),
+			'Tricky script close tag with \r'       => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ),
+			'Tricky script close tag with \r\n'     => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ),
+			'Module tag'                            => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
+			'Tag with type'                         => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
+			'Tag with language'                     => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
+			'Non-JS script, save HTML-like content' => array( '<script type="text/html"></script>', '<h1>This & that</h1>', '<script type="text/html"><h1>This & that</h1></script>' ),
+		);
+	}
+
+	/**
+	 * @ticket TBD
+	 */
+	public function test_complex_javascript_and_json_auto_escaping() {
+		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<h1>OK</h1>" );
+		$processor->next_tag( 'SCRIPT' );
+		$processor->set_attribute( 'type', 'importmap' );
+		$importmap_data = array(
+			'imports' => array(
+				'</SCRIPT>\\<!--\\<script>' => "./script",
+			),
+		);
+
+		$importmap = json_encode(
+			$importmap_data,
+			JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS
+		);
+
+		$processor->set_modifiable_text( $importmap );
+		$decoded_importmap = json_decode( $processor->get_modifiable_text(), true, 512, JSON_THROW_ON_ERROR );
+		$this->assertEquals(
+			$importmap_data,
+			$decoded_importmap,
+			'Precondition failed: importmap JSON did not decode/encode as expected: ' . json_last_error_msg()
+		);
+
+		$processor->next_tag( 'SCRIPT' );
+		$processor->set_attribute( 'type', 'module' );
+		$javascript = <<<'JS'
+import '</SCRIPT>\\<!--\\<script>';
+JS;
+		$processor->set_modifiable_text( $javascript );
+
+		$expected = <<<'HTML'
+<script type="importmap">{"imports":{"\u003C/SCRIPT>\\\u003C!--\\\u003Cscript>":"./script"}}</script>
+<script type="module">import '</\u0053CRIPT>\\<!--\\<\u0073cript>';</script>
+<h1>OK</h1>
+HTML;
+		$updated_html = $processor->get_updated_html();
+		$this->assertEqualHTML( $expected, $updated_html );
+
+		// Re-process and verify the JSON is correct.
+		$processor = new WP_HTML_Tag_Processor( $updated_html );
+		$processor->next_tag( 'SCRIPT' );
+		$this->assertSame( 'importmap', $processor->get_attribute( 'type' ) );
+		$importmap_json = $processor->get_modifiable_text();
+		$decoded_importmap = json_decode( $importmap_json, true );
+		$this->assertSame( 'No error', json_last_error_msg() );
+		$this->assertEquals(
+			$importmap_data,
+			$decoded_importmap,
+			'Precondition failed: re-processed importmap JSON did not decode/encode as expected: ' . json_last_error_msg()
+		);
+	}
+
+	/**
+	 * @ticket TBD
+	 */
+	public function test_json_auto_escaping() {
+		// This is not a typical JSON encoding or escaping, but it is valid.
+		$json_text             = '"Escaped BS: \\\\; Escaped BS+LT: \\\\<; Unescaped LT: <; Script closer: </script>"';
+		$expected_decoded_json = 'Escaped BS: \\; Escaped BS+LT: \\<; Unescaped LT: <; Script closer: </script>';
+		$decoded_json          = json_decode( $json_text, false, 512, JSON_THROW_ON_ERROR );
+		$this->assertSame(
+			$expected_decoded_json,
+			$decoded_json,
+			'Precondition failed: test JSON text did not decode as expected.'
+		);
+
+		$processor = new WP_HTML_Tag_Processor( '<script type="application/json"></script>' );
+		$processor->next_tag( 'SCRIPT' );
+
+		$processor->set_modifiable_text( $json_text );
+
+		$expected = <<<'HTML'
+<script type="application/json">"Escaped BS: \\; Escaped BS+LT: \\\u003C; Unescaped LT: \u003C; Script closer: \u003C/script>"</script>
+HTML;
+
+		$updated_html = $processor->get_updated_html();
+		$this->assertEqualHTML( $expected, $updated_html );
+
+		// Reprocess to ensure JSON value survives HTML round trip:
+		$processor = new WP_HTML_Tag_Processor( $expected );
+		$processor->next_tag( 'SCRIPT' );
+		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true, 512, JSON_THROW_ON_ERROR );
+		$this->assertEquals(
+			$expected_decoded_json,
+			$decoded_json_from_html,
 		);
 	}
 }

From 4a28ef2c39fd093d33a49d10ad941ef714267fc8 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 15 Dec 2025 20:16:31 +0100
Subject: [PATCH 02/60] Update ticket number

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 7f6dc469fa2d9..12bb9d5a7d9f5 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -541,7 +541,7 @@ public static function data_script_tag_text_updates(): array {
 	}
 
 	/**
-	 * @ticket TBD
+	 * @ticket 64419
 	 */
 	public function test_complex_javascript_and_json_auto_escaping() {
 		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<h1>OK</h1>" );
@@ -596,7 +596,7 @@ public function test_complex_javascript_and_json_auto_escaping() {
 	}
 
 	/**
-	 * @ticket TBD
+	 * @ticket 64419
 	 */
 	public function test_json_auto_escaping() {
 		// This is not a typical JSON encoding or escaping, but it is valid.

From 0bef687452a39e816299a8a8f4dc828a675ec3b9 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 15 Dec 2025 20:17:42 +0100
Subject: [PATCH 03/60] Fix those lints

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 12bb9d5a7d9f5..19d51d5fb373e 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -549,7 +549,7 @@ public function test_complex_javascript_and_json_auto_escaping() {
 		$processor->set_attribute( 'type', 'importmap' );
 		$importmap_data = array(
 			'imports' => array(
-				'</SCRIPT>\\<!--\\<script>' => "./script",
+				'</SCRIPT>\\<!--\\<script>' => './script',
 			),
 		);
 
@@ -573,7 +573,7 @@ public function test_complex_javascript_and_json_auto_escaping() {
 JS;
 		$processor->set_modifiable_text( $javascript );
 
-		$expected = <<<'HTML'
+		$expected     = <<<'HTML'
 <script type="importmap">{"imports":{"\u003C/SCRIPT>\\\u003C!--\\\u003Cscript>":"./script"}}</script>
 <script type="module">import '</\u0053CRIPT>\\<!--\\<\u0073cript>';</script>
 <h1>OK</h1>
@@ -585,7 +585,7 @@ public function test_complex_javascript_and_json_auto_escaping() {
 		$processor = new WP_HTML_Tag_Processor( $updated_html );
 		$processor->next_tag( 'SCRIPT' );
 		$this->assertSame( 'importmap', $processor->get_attribute( 'type' ) );
-		$importmap_json = $processor->get_modifiable_text();
+		$importmap_json    = $processor->get_modifiable_text();
 		$decoded_importmap = json_decode( $importmap_json, true );
 		$this->assertSame( 'No error', json_last_error_msg() );
 		$this->assertEquals(

From cdba027a0bdb1f447db080769b1e3665b75be7e9 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 15 Dec 2025 20:35:55 +0100
Subject: [PATCH 04/60] No trailing function commas

---
 .../phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 19d51d5fb373e..45c7bc0fbe01a 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -627,7 +627,7 @@ public function test_json_auto_escaping() {
 		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true, 512, JSON_THROW_ON_ERROR );
 		$this->assertEquals(
 			$expected_decoded_json,
-			$decoded_json_from_html,
+			$decoded_json_from_html
 		);
 	}
 }

From ba54ae4be9a4f62b161981820ad463532751e33c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 15 Dec 2025 21:10:21 +0100
Subject: [PATCH 05/60] Remove JSON_THROW_ON_ERROR constant

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 45c7bc0fbe01a..02cacceeb49ae 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -559,7 +559,8 @@ public function test_complex_javascript_and_json_auto_escaping() {
 		);
 
 		$processor->set_modifiable_text( $importmap );
-		$decoded_importmap = json_decode( $processor->get_modifiable_text(), true, 512, JSON_THROW_ON_ERROR );
+		$decoded_importmap = json_decode( $processor->get_modifiable_text(), true );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
 		$this->assertEquals(
 			$importmap_data,
 			$decoded_importmap,
@@ -602,7 +603,8 @@ public function test_json_auto_escaping() {
 		// This is not a typical JSON encoding or escaping, but it is valid.
 		$json_text             = '"Escaped BS: \\\\; Escaped BS+LT: \\\\<; Unescaped LT: <; Script closer: </script>"';
 		$expected_decoded_json = 'Escaped BS: \\; Escaped BS+LT: \\<; Unescaped LT: <; Script closer: </script>';
-		$decoded_json          = json_decode( $json_text, false, 512, JSON_THROW_ON_ERROR );
+		$decoded_json          = json_decode( $json_text, true );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
 		$this->assertSame(
 			$expected_decoded_json,
 			$decoded_json,

From a697e9e6de4b499e5d87dd6dcdc2ee546458561c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 15 Dec 2025 21:19:14 +0100
Subject: [PATCH 06/60] fixup! Remove JSON_THROW_ON_ERROR constant

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 02cacceeb49ae..bd587149583a3 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -626,7 +626,8 @@ public function test_json_auto_escaping() {
 		// Reprocess to ensure JSON value survives HTML round trip:
 		$processor = new WP_HTML_Tag_Processor( $expected );
 		$processor->next_tag( 'SCRIPT' );
-		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true, 512, JSON_THROW_ON_ERROR );
+		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
 		$this->assertEquals(
 			$expected_decoded_json,
 			$decoded_json_from_html

From 8246439640b7764b3017739cb1e645746616039b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 15:39:04 +0100
Subject: [PATCH 07/60] Remove JSON +json subtype handling

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 1f2a4a3dc62ac..47084f632226a 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4091,6 +4091,9 @@ public function is_json_script_tag(): bool {
 		 * > A JSON MIME type is any MIME type whose subtype ends in "+json" or whose essence
 		 * > is "application/json" or "text/json".
 		 *
+		 * The JSON subtype ending in "+json" is not currently handled due to lack
+		 * of a MIME type parser.
+		 *
 		 * @see https://mimesniff.spec.whatwg.org/#json-mime-type
 		 */
 		if (
@@ -4098,7 +4101,6 @@ public function is_json_script_tag(): bool {
 			|| 'importmap' === $type_string
 			|| 'speculationrules' === $type_string
 			|| 'text/json' === $type_string
-			|| str_ends_with( $type_string, '+json' )
 		) {
 			return true;
 		}

From b3e88e88fbf5c8d0b6cf45b1bc99995a624379d8 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 19:12:58 +0100
Subject: [PATCH 08/60] Add test for scripts containing script tags

---
 tests/phpunit/tests/dependencies/scripts.php | 52 ++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index a3c8b92695f4f..f9d8a18aa3376 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -4122,4 +4122,56 @@ public function test_wp_scripts_doing_it_wrong_for_missing_dependencies() {
 			'Expected _doing_it_wrong() notice to indicate missing dependencies for enqueued script.'
 		);
 	}
+
+	/**
+	 * @ticket TBD
+	 * @covers ::wp_add_inline_script
+	 */
+	public function test_gnarly_inline_script_requires_escaping() {
+		$this->add_html5_script_theme_support();
+		wp_enqueue_script( 'test-inline-script-after', 'http://example.org/script.js', array(), null );
+		$javascript = <<<'JS'
+var script;
+0</script/>0;'<!--';console.assert(1<script>=0);
+JS;
+		wp_add_inline_script( 'test-inline-script-after', $javascript, 'after' );
+		$output   = get_echo( 'wp_print_scripts' );
+		$expected = <<<'HTML'
+<script src="http://example.org/script.js" id="test-inline-script-after-js"></script>
+<script id="test-inline-script-after-js-after">
+var script;
+0</\u0073cript/>0;'<!--';console.assert(1<\u0073cript>=0);
+//# sourceURL=test-inline-script-after-js-after
+</script>
+HTML;
+
+		$this->assertEqualHTML( $expected, $output );
+	}
+
+	/**
+	 * @ticket TBD
+	 * @covers ::wp_add_inline_script
+	 *
+	 * @expectedIncorrectUsage wp_add_inline_script
+	 */
+	public function test_gnarly_inline_script_requires_escaping_with_wrapper() {
+		$this->add_html5_script_theme_support();
+		wp_enqueue_script( 'test-inline-script-after', 'http://example.org/script.js', array(), null );
+		$javascript = <<<'JS'
+<script>
+// Uh oh:</script>
+</script>
+JS;
+		wp_add_inline_script( 'test-inline-script-after', $javascript, 'after' );
+		$output   = get_echo( 'wp_print_scripts' );
+		$expected = <<<'HTML'
+<script src="http://example.org/script.js" id="test-inline-script-after-js"></script>
+<script id="test-inline-script-after-js-after">
+// Uh oh:
+//# sourceURL=test-inline-script-after-js-after
+</script>
+HTML;
+
+		$this->assertEqualHTML( $expected, $output );
+	}
 }

From 27c6371199ac94ed9d0b35836776460cf53d4f6f Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 19:23:43 +0100
Subject: [PATCH 09/60] Update wp_add_inline_script to use HTML API

---
 src/wp-includes/functions.wp-scripts.php | 41 +++++++++++++++++-------
 src/wp-includes/script-loader.php        |  6 ++++
 2 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/src/wp-includes/functions.wp-scripts.php b/src/wp-includes/functions.wp-scripts.php
index f86b456d5f69a..e59ab6b7d39a9 100644
--- a/src/wp-includes/functions.wp-scripts.php
+++ b/src/wp-includes/functions.wp-scripts.php
@@ -130,18 +130,35 @@ function wp_print_scripts( $handles = false ) {
 function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 	_wp_scripts_maybe_doing_it_wrong( __FUNCTION__, $handle );
 
-	if ( false !== stripos( $data, '</script>' ) ) {
-		_doing_it_wrong(
-			__FUNCTION__,
-			sprintf(
-				/* translators: 1: <script>, 2: wp_add_inline_script() */
-				__( 'Do not pass %1$s tags to %2$s.' ),
-				'<code>&lt;script&gt;</code>',
-				'<code>wp_add_inline_script()</code>'
-			),
-			'4.5.0'
-		);
-		$data = trim( preg_replace( '#<script[^>]*>(.*)</script>#is', '$1', $data ) );
+	/*
+	 * Check whether the script data appears to be enclosed in an HTML <script> tag.
+	 */
+	if (
+		/*
+		 * Detect a SCRIPT tag inside the provided script data.
+		 * $data must be sufficiently long and start with "<script" (case-insensitive),
+		 * followed by a tag name termination character.
+		 */
+		strlen( $data ) >= 17
+		&& 0 === substr_compare( $data, '<script', 0, 7, true )
+		&& 1 === strspn( $data, "\t\n\r\f />", 7, 1 )
+	) {
+		// Try to parse and extract the script contents.
+		$processor = new WP_HTML_Tag_Processor( $data );
+		$processor->next_token();
+		if ( $processor->get_tag() === 'SCRIPT' ) {
+			_doing_it_wrong(
+				__FUNCTION__,
+				sprintf(
+					/* translators: 1: <script>, 2: wp_add_inline_script() */
+					__( 'Do not pass %1$s tags to %2$s.' ),
+					'<code>&lt;script&gt;</code>',
+					'<code>wp_add_inline_script()</code>'
+				),
+				'4.5.0'
+			);
+			$data = $processor->get_modifiable_text();
+		}
 	}
 
 	return wp_scripts()->add_inline_script( $handle, $data, $position );
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 7dccff9775731..277d78b7e3b2a 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -3026,6 +3026,12 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	 */
 	$attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $data );
 
+	$script_tag = sprintf( '<script%s></script>', wp_sanitize_script_attributes( $attributes ) );
+	$processor  = new WP_HTML_Tag_Processor( $script_tag );
+	if ( $processor->next_tag( 'SCRIPT' ) && $processor->set_modifiable_text( $data ) ) {
+		return $processor->get_updated_html() . "\n";
+	}
+
 	return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $data );
 }
 

From deebd5453b3610415e115e6c2182c97538ac14c1 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 19:33:31 +0100
Subject: [PATCH 10/60] Use the tag processor for all the inline script tags

---
 src/wp-includes/script-loader.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 277d78b7e3b2a..9e88ea67458ec 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -3026,13 +3026,15 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	 */
 	$attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $data );
 
-	$script_tag = sprintf( '<script%s></script>', wp_sanitize_script_attributes( $attributes ) );
-	$processor  = new WP_HTML_Tag_Processor( $script_tag );
-	if ( $processor->next_tag( 'SCRIPT' ) && $processor->set_modifiable_text( $data ) ) {
-		return $processor->get_updated_html() . "\n";
+	$processor = new WP_HTML_Tag_Processor( "<script></script>\n" );
+	$processor->next_tag();
+	foreach ( $attributes as $name => $value ) {
+		if ( is_string( $value ) || true === $value ) {
+			assert( $processor->set_attribute( $name, $value ) );
+		}
 	}
-
-	return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $data );
+	assert( $processor->set_modifiable_text( $data ) );
+	return $processor->get_updated_html();
 }
 
 /**

From d78cd35b9cbfefa5bbf2b5c193256d1472fb41fd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 19:34:48 +0100
Subject: [PATCH 11/60] Remove assertions

---
 src/wp-includes/script-loader.php | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 9e88ea67458ec..fcedb5b8653d2 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -3029,11 +3029,9 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	$processor = new WP_HTML_Tag_Processor( "<script></script>\n" );
 	$processor->next_tag();
 	foreach ( $attributes as $name => $value ) {
-		if ( is_string( $value ) || true === $value ) {
-			assert( $processor->set_attribute( $name, $value ) );
-		}
+			$processor->set_attribute( $name, $value );
 	}
-	assert( $processor->set_modifiable_text( $data ) );
+	$processor->set_modifiable_text( $data );
 	return $processor->get_updated_html();
 }
 

From c29c3d92edae3863d2888bb8f28be17760573833 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 20:25:07 +0100
Subject: [PATCH 12/60] PICKME: Update Script Modules tests to use
 assertEqualHTML

---
 tests/phpunit/tests/script-modules/wpScriptModules.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/phpunit/tests/script-modules/wpScriptModules.php b/tests/phpunit/tests/script-modules/wpScriptModules.php
index c80d1e745779c..aafaa47cc35e6 100644
--- a/tests/phpunit/tests/script-modules/wpScriptModules.php
+++ b/tests/phpunit/tests/script-modules/wpScriptModules.php
@@ -1234,7 +1234,7 @@ function ( $data ) {
 </script>
 
 HTML;
-		$this->assertSame( $expected, $actual );
+		$this->assertEqualHTML( $expected, $actual );
 	}
 
 	/**
@@ -1259,7 +1259,7 @@ function ( $data ) {
 </script>
 
 HTML;
-		$this->assertSame( $expected, $actual );
+		$this->assertEqualHTML( $expected, $actual );
 	}
 
 	/**
@@ -1332,7 +1332,7 @@ function ( $data ) use ( $input ) {
 
 HTML;
 
-		$this->assertSame( $expected, $actual );
+		$this->assertEqualHTML( $expected, $actual );
 	}
 
 	/**

From abeebd662bddf8401873ce88934339d234668d3f Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 16 Dec 2025 20:25:20 +0100
Subject: [PATCH 13/60] Revert "Remove assertions"

This reverts commit d78cd35b9cbfefa5bbf2b5c193256d1472fb41fd.
---
 src/wp-includes/script-loader.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index fcedb5b8653d2..9e88ea67458ec 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -3029,9 +3029,11 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	$processor = new WP_HTML_Tag_Processor( "<script></script>\n" );
 	$processor->next_tag();
 	foreach ( $attributes as $name => $value ) {
-			$processor->set_attribute( $name, $value );
+		if ( is_string( $value ) || true === $value ) {
+			assert( $processor->set_attribute( $name, $value ) );
+		}
 	}
-	$processor->set_modifiable_text( $data );
+	assert( $processor->set_modifiable_text( $data ) );
 	return $processor->get_updated_html();
 }
 

From 1362451a6bd1c2e5423dc70f22ee197e85f490af Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 13:35:42 +0100
Subject: [PATCH 14/60] Add JS and JSON script tag tests

---
 .../html-api/wpHtmlTagProcessorScriptTag.php  | 251 ++++++++++++++++++
 1 file changed, 251 insertions(+)
 create mode 100644 tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
new file mode 100644
index 0000000000000..df74d2f6be50b
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -0,0 +1,251 @@
+<?php
+/**
+ * Unit tests covering WP_HTML_Tag_Processor script tag functionality.
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_HTML_Tag_Processor
+ */
+class Tests_HtmlApi_WpHtmlTagProcessorScriptTag extends WP_UnitTestCase {
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers WP_HTML_Tag_Processor::is_javascript_script_tag
+	 *
+	 * @dataProvider data_is_javascript_script_tag
+	 *
+	 * @param string $html             HTML containing a script tag.
+	 * @param bool   $expected_result  Whether the script tag should be identified as JavaScript.
+	 */
+	public function test_is_javascript_script_tag( string $html, bool $expected_result ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$processor->next_tag();
+
+		$this->assertSame( 'SCRIPT', $processor->get_tag(), 'Should be positioned on a SCRIPT tag' );
+		$this->assertSame(
+			$expected_result,
+			$processor->is_javascript_script_tag(),
+			'Failed to correctly identify JavaScript script tag'
+		);
+	}
+
+	/**
+	 * Data provider for test_is_javascript_script_tag.
+	 *
+	 * @return array[]
+	 */
+	public static function data_is_javascript_script_tag() {
+		return array(
+			// Script tags without type or language attributes - should be JavaScript.
+			'Script tag without attributes'              => array( '<script></script>', true ),
+			'Script tag with other attributes'           => array( '<script id="test"></script>', true ),
+
+			// Script tags with empty type attribute - should be JavaScript.
+			'Script tag with empty type attribute'       => array( '<script type=""></script>', true ),
+			'Script tag with boolean type attribute'     => array( '<script type></script>', true ),
+
+			// Script tags with falsy but non-empty type attribute.
+			'Script tag with type="0"'                   => array( '<script type="0"></script>', false ),
+
+			// Script tags without type but with language attribute - should be JavaScript.
+			'Script tag with empty language attribute'   => array( '<script language=""></script>', true ),
+			'Script tag with boolean language attribute' => array( '<script language></script>', true ),
+
+			// Script tags with falsy but non-empty language attribute.
+			'Script tag with language="0"'               => array( '<script language="0"></script>', false ),
+
+			// Script tags with JavaScript MIME types - should be JavaScript.
+			'Script tag with application/ecmascript'     => array( '<script type="application/ecmascript"></script>', true ),
+			'Script tag with application/javascript'     => array( '<script type="application/javascript"></script>', true ),
+			'Script tag with application/x-ecmascript'   => array( '<script type="application/x-ecmascript"></script>', true ),
+			'Script tag with application/x-javascript'   => array( '<script type="application/x-javascript"></script>', true ),
+			'Script tag with text/ecmascript'            => array( '<script type="text/ecmascript"></script>', true ),
+			'Script tag with text/javascript'            => array( '<script type="text/javascript"></script>', true ),
+			'Script tag with text/javascript1.0'         => array( '<script type="text/javascript1.0"></script>', true ),
+			'Script tag with text/javascript1.1'         => array( '<script type="text/javascript1.1"></script>', true ),
+			'Script tag with text/javascript1.2'         => array( '<script type="text/javascript1.2"></script>', true ),
+			'Script tag with text/javascript1.3'         => array( '<script type="text/javascript1.3"></script>', true ),
+			'Script tag with text/javascript1.4'         => array( '<script type="text/javascript1.4"></script>', true ),
+			'Script tag with text/javascript1.5'         => array( '<script type="text/javascript1.5"></script>', true ),
+			'Script tag with text/jscript'               => array( '<script type="text/jscript"></script>', true ),
+			'Script tag with text/livescript'            => array( '<script type="text/livescript"></script>', true ),
+			'Script tag with text/x-ecmascript'          => array( '<script type="text/x-ecmascript"></script>', true ),
+			'Script tag with text/x-javascript'          => array( '<script type="text/x-javascript"></script>', true ),
+
+			// Case-insensitive matching for JavaScript MIME types.
+			'Script tag with UPPERCASE type'             => array( '<script type="TEXT/JAVASCRIPT"></script>', true ),
+			'Script tag with MixedCase type'             => array( '<script type="Text/JavaScript"></script>', true ),
+			'Script tag with APPLICATION/JAVASCRIPT'     => array( '<script type="APPLICATION/JAVASCRIPT"></script>', true ),
+
+			// Script tags with module type - should be JavaScript.
+			'Script tag with module type'                => array( '<script type="module"></script>', true ),
+			'Script tag with MODULE type uppercase'      => array( '<script type="MODULE"></script>', true ),
+			'Script tag with MoDuLe type mixed case'     => array( '<script type="MoDuLe"></script>', true ),
+
+			// Script tags with whitespace around type - should strip whitespace.
+			'Script tag with leading whitespace'         => array( '<script type=" text/javascript"></script>', true ),
+			'Script tag with trailing whitespace'        => array( '<script type="text/javascript "></script>', true ),
+			'Script tag with surrounding whitespace'     => array( '<script type=" text/javascript "></script>', true ),
+			'Script tag with tab whitespace'             => array( "<script type=\"\ttext/javascript\t\"></script>", true ),
+			'Script tag with newline whitespace'         => array( "<script type=\"\ntext/javascript\n\"></script>", true ),
+			'Script tag with mixed whitespace'           => array( "<script type=\" \t\ntext/javascript \t\n\"></script>", true ),
+
+			// Script tags with language attribute and non-empty value - should use text/{language}.
+			'Script tag with language="javascript"'      => array( '<script language="javascript"></script>', true ),
+			'Script tag with language="JavaScript"'      => array( '<script language="JavaScript"></script>', true ),
+			'Script tag with language="ecmascript"'      => array( '<script language="ecmascript"></script>', true ),
+			'Script tag with language="jscript"'         => array( '<script language="jscript"></script>', true ),
+			'Script tag with language="livescript"'      => array( '<script language="livescript"></script>', true ),
+
+			// Non-JavaScript script tags - should NOT be JavaScript.
+			'Script tag with importmap type'             => array( '<script type="importmap"></script>', false ),
+			'Script tag with speculationrules type'      => array( '<script type="speculationrules"></script>', false ),
+			'Script tag with application/json type'      => array( '<script type="application/json"></script>', false ),
+			'Script tag with text/json type'             => array( '<script type="text/json"></script>', false ),
+			'Script tag with unknown MIME type'          => array( '<script type="text/plain"></script>', false ),
+			'Script tag with application/xml type'       => array( '<script type="application/xml"></script>', false ),
+			'Script tag with random type'                => array( '<script type="random/type"></script>', false ),
+
+			// Non-script tags - should NOT be JavaScript.
+			'DIV tag'                                    => array( '<div></div>', false ),
+			'SPAN tag'                                   => array( '<span></span>', false ),
+			'P tag'                                      => array( '<p></p>', false ),
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers WP_HTML_Tag_Processor::is_javascript_script_tag
+	 */
+	public function test_is_javascript_script_tag_returns_false_before_finding_tags() {
+		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
+		$processor->next_token();
+
+		$this->assertFalse(
+			$processor->is_javascript_script_tag(),
+			'Should return false when not stopped on script tag'
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers WP_HTML_Tag_Processor::is_javascript_script_tag
+	 */
+	public function test_is_javascript_script_tag_returns_false_for_non_html_namespace() {
+		$processor = new WP_HTML_Tag_Processor( '<svg><script type="text/javascript"></script></svg>' );
+		$processor->next_tag( 'SCRIPT' );
+
+		$this->assertFalse(
+			$processor->is_javascript_script_tag(),
+			'Should return false for script tags in non-HTML namespace'
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers WP_HTML_Tag_Processor::is_json_script_tag
+	 *
+	 * @dataProvider data_is_json_script_tag
+	 *
+	 * @param string $html             HTML containing a script tag.
+	 * @param bool   $expected_result  Whether the script tag should be identified as JSON.
+	 */
+	public function test_is_json_script_tag( string $html, bool $expected_result ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$processor->next_tag();
+
+		$this->assertSame( 'SCRIPT', $processor->get_tag(), 'Should be positioned on a SCRIPT tag' );
+		$this->assertSame(
+			$expected_result,
+			$processor->is_json_script_tag(),
+			'Failed to correctly identify JSON script tag'
+		);
+	}
+
+	/**
+	 * Data provider for test_is_json_script_tag.
+	 *
+	 * @return array[]
+	 */
+	public static function data_is_json_script_tag() {
+		return array(
+			// JSON MIME types - should be JSON.
+			'Script tag with application/json type'      => array( '<script type="application/json"></script>', true ),
+			'Script tag with text/json type'             => array( '<script type="text/json"></script>', true ),
+
+			// importmap and speculationrules - should be JSON.
+			'Script tag with importmap type'             => array( '<script type="importmap"></script>', true ),
+			'Script tag with speculationrules type'      => array( '<script type="speculationrules"></script>', true ),
+
+			// Case-insensitive matching for JSON types.
+			'Script tag with APPLICATION/JSON uppercase' => array( '<script type="APPLICATION/JSON"></script>', true ),
+			'Script tag with Text/Json mixed case'       => array( '<script type="Text/Json"></script>', true ),
+			'Script tag with IMPORTMAP uppercase'        => array( '<script type="IMPORTMAP"></script>', true ),
+			'Script tag with ImportMap mixed case'       => array( '<script type="ImportMap"></script>', true ),
+			'Script tag with SPECULATIONRULES uppercase' => array( '<script type="SPECULATIONRULES"></script>', true ),
+			'Script tag with SpeculationRules mixed'     => array( '<script type="SpeculationRules"></script>', true ),
+
+			// Whitespace handling - should strip whitespace.
+			'Script tag with leading whitespace'         => array( '<script type=" application/json"></script>', true ),
+			'Script tag with trailing whitespace'        => array( '<script type="application/json "></script>', true ),
+			'Script tag with surrounding whitespace'     => array( '<script type=" application/json "></script>', true ),
+			'Script tag with tab whitespace'             => array( "<script type=\"\tapplication/json\t\"></script>", true ),
+			'Script tag with newline whitespace'         => array( "<script type=\"\napplication/json\n\"></script>", true ),
+			'Script tag with mixed whitespace'           => array( "<script type=\" \t\napplication/json \t\n\"></script>", true ),
+
+			// Non-JSON script tags - should NOT be JSON.
+			'Script tag without type attribute'          => array( '<script></script>', false ),
+			'Script tag with empty type attribute'       => array( '<script type=""></script>', false ),
+			'Script tag with boolean type attribute'     => array( '<script type></script>', false ),
+
+			// Script tags with falsy but non-empty type attribute.
+			'Script tag with type="0"'                   => array( '<script type="0"></script>', false ),
+
+			'Script tag with text/javascript type'       => array( '<script type="text/javascript"></script>', false ),
+			'Script tag with module type'                => array( '<script type="module"></script>', false ),
+			'Script tag with unknown MIME type'          => array( '<script type="text/plain"></script>', false ),
+			'Script tag with application/xml type'       => array( '<script type="application/xml"></script>', false ),
+
+			// Non-script tags - should NOT be JSON.
+			'DIV tag'                                    => array( '<div></div>', false ),
+			'SPAN tag'                                   => array( '<span></span>', false ),
+			'P tag'                                      => array( '<p></p>', false ),
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers WP_HTML_Tag_Processor::is_json_script_tag
+	 */
+	public function test_is_json_script_tag_returns_false_before_finding_tags() {
+		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
+		$processor->next_token();
+
+		$this->assertFalse(
+			$processor->is_json_script_tag(),
+			'Should return false when not stopped on script tag'
+		);
+	}
+
+	/**
+	 * @ticket 64419
+	 *
+	 * @covers WP_HTML_Tag_Processor::is_json_script_tag
+	 */
+	public function test_is_json_script_tag_returns_false_for_non_html_namespace() {
+		$processor = new WP_HTML_Tag_Processor( '<svg><script type="application/json"></script></svg>' );
+		$processor->next_tag( 'SCRIPT' );
+
+		$this->assertFalse(
+			$processor->is_json_script_tag(),
+			'Should return false for script tags in non-HTML namespace'
+		);
+	}
+}

From 8d30680f290b986c35e646ca11e25c6164abeaad Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 15:10:39 +0100
Subject: [PATCH 15/60] Fix typo in comment

Co-authored-by: Weston Ruter <westonruter@gmail.com>
---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 47084f632226a..133e26693e453 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3868,7 +3868,7 @@ static function ( $matches ) {
 						/**
 						 * JSON can be safely escaped.
 						 *
-						 * The following replacement may appear insuficcient, "<" is replaced
+						 * The following replacement may appear insufficient, "<" is replaced
 						 * with its JSON escape sequence "\u003C" without considering whether
 						 * the "<" is preceded by an escaping slash. JSON does not support
 						 * arbitrary character escaping (like JavaScript strings) so "\<"

From 3b5ef4e75850ce1c4de019d2cae2598f7422bf54 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 15:12:17 +0100
Subject: [PATCH 16/60] Improve comment

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 133e26693e453..35f2f915631b5 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3870,14 +3870,12 @@ static function ( $matches ) {
 						 *
 						 * The following replacement may appear insufficient, "<" is replaced
 						 * with its JSON escape sequence "\u003C" without considering whether
-						 * the "<" is preceded by an escaping slash. JSON does not support
-						 * arbitrary character escaping (like JavaScript strings) so "\<"
-						 * is invalid JSON and would have to be preceded by
-						 * an escaped backslash: "\\<".
+						 * the "<" is preceded by an escaping backslash. JSON does not support
+						 * arbitrary character escaping in strings (unlike JavaScript) so "\<"
+						 * is invalid JSON and does not need to be considered.
 						 *
 						 * @see https://www.json.org/json-en.html
 						 */
-
 						$plaintext_content = strtr(
 							$plaintext_content,
 							array( '<' => '\\u003C' )

From f8cfdf926fd2c70b0a7ef03c7bac4dac20094ad3 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 15:34:59 +0100
Subject: [PATCH 17/60] Clean up and fix tests

---
 .../html-api/wpHtmlTagProcessorScriptTag.php  | 24 +++++++------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
index df74d2f6be50b..4f4577f8976a3 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -23,8 +23,6 @@ class Tests_HtmlApi_WpHtmlTagProcessorScriptTag extends WP_UnitTestCase {
 	public function test_is_javascript_script_tag( string $html, bool $expected_result ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$processor->next_tag();
-
-		$this->assertSame( 'SCRIPT', $processor->get_tag(), 'Should be positioned on a SCRIPT tag' );
 		$this->assertSame(
 			$expected_result,
 			$processor->is_javascript_script_tag(),
@@ -37,7 +35,7 @@ public function test_is_javascript_script_tag( string $html, bool $expected_resu
 	 *
 	 * @return array[]
 	 */
-	public static function data_is_javascript_script_tag() {
+	public static function data_is_javascript_script_tag(): array {
 		return array(
 			// Script tags without type or language attributes - should be JavaScript.
 			'Script tag without attributes'              => array( '<script></script>', true ),
@@ -57,7 +55,7 @@ public static function data_is_javascript_script_tag() {
 			// Script tags with falsy but non-empty language attribute.
 			'Script tag with language="0"'               => array( '<script language="0"></script>', false ),
 
-			// Script tags with JavaScript MIME types - should be JavaScript.
+			// Script tags with JavaScript MIME essence - should be JavaScript.
 			'Script tag with application/ecmascript'     => array( '<script type="application/ecmascript"></script>', true ),
 			'Script tag with application/javascript'     => array( '<script type="application/javascript"></script>', true ),
 			'Script tag with application/x-ecmascript'   => array( '<script type="application/x-ecmascript"></script>', true ),
@@ -75,7 +73,7 @@ public static function data_is_javascript_script_tag() {
 			'Script tag with text/x-ecmascript'          => array( '<script type="text/x-ecmascript"></script>', true ),
 			'Script tag with text/x-javascript'          => array( '<script type="text/x-javascript"></script>', true ),
 
-			// Case-insensitive matching for JavaScript MIME types.
+			// Case-insensitive matching for JavaScript MIME essence.
 			'Script tag with UPPERCASE type'             => array( '<script type="TEXT/JAVASCRIPT"></script>', true ),
 			'Script tag with MixedCase type'             => array( '<script type="Text/JavaScript"></script>', true ),
 			'Script tag with APPLICATION/JAVASCRIPT'     => array( '<script type="APPLICATION/JAVASCRIPT"></script>', true ),
@@ -137,9 +135,8 @@ public function test_is_javascript_script_tag_returns_false_before_finding_tags(
 	 * @covers WP_HTML_Tag_Processor::is_javascript_script_tag
 	 */
 	public function test_is_javascript_script_tag_returns_false_for_non_html_namespace() {
-		$processor = new WP_HTML_Tag_Processor( '<svg><script type="text/javascript"></script></svg>' );
-		$processor->next_tag( 'SCRIPT' );
-
+		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
+		$processor->change_parsing_namespace( 'svg' );
 		$this->assertFalse(
 			$processor->is_javascript_script_tag(),
 			'Should return false for script tags in non-HTML namespace'
@@ -159,8 +156,6 @@ public function test_is_javascript_script_tag_returns_false_for_non_html_namespa
 	public function test_is_json_script_tag( string $html, bool $expected_result ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$processor->next_tag();
-
-		$this->assertSame( 'SCRIPT', $processor->get_tag(), 'Should be positioned on a SCRIPT tag' );
 		$this->assertSame(
 			$expected_result,
 			$processor->is_json_script_tag(),
@@ -173,7 +168,7 @@ public function test_is_json_script_tag( string $html, bool $expected_result ) {
 	 *
 	 * @return array[]
 	 */
-	public static function data_is_json_script_tag() {
+	public static function data_is_json_script_tag(): array {
 		return array(
 			// JSON MIME types - should be JSON.
 			'Script tag with application/json type'      => array( '<script type="application/json"></script>', true ),
@@ -227,7 +222,6 @@ public static function data_is_json_script_tag() {
 	public function test_is_json_script_tag_returns_false_before_finding_tags() {
 		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
 		$processor->next_token();
-
 		$this->assertFalse(
 			$processor->is_json_script_tag(),
 			'Should return false when not stopped on script tag'
@@ -240,9 +234,9 @@ public function test_is_json_script_tag_returns_false_before_finding_tags() {
 	 * @covers WP_HTML_Tag_Processor::is_json_script_tag
 	 */
 	public function test_is_json_script_tag_returns_false_for_non_html_namespace() {
-		$processor = new WP_HTML_Tag_Processor( '<svg><script type="application/json"></script></svg>' );
-		$processor->next_tag( 'SCRIPT' );
-
+		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
+		$processor->change_parsing_namespace( 'svg' );
+		$processor->next_tag();
 		$this->assertFalse(
 			$processor->is_json_script_tag(),
 			'Should return false for script tags in non-HTML namespace'

From 501d2019e0dbfb9d5334118c4c137ca00354b732 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 15:52:39 +0100
Subject: [PATCH 18/60] Clean up and improve type/language logic

---
 .../html-api/class-wp-html-tag-processor.php  | 32 ++++++++-----------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 35f2f915631b5..41baefc50891d 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3967,16 +3967,12 @@ public function is_javascript_script_tag(): bool {
 		 */
 		$type_attr     = $this->get_attribute( 'type' );
 		$language_attr = $this->get_attribute( 'language' );
-
 		if ( true === $type_attr || '' === $type_attr ) {
 			return true;
 		}
 		if (
-			null === $type_attr && (
-				true === $language_attr ||
-				'' === $language_attr ||
-				null === $language_attr
-			)
+			null === $type_attr
+			&& ( null === $language_attr || true === $language_attr || '' === $language_attr )
 		) {
 			return true;
 		}
@@ -3987,7 +3983,7 @@ public function is_javascript_script_tag(): bool {
 		 * > Otherwise, el has a non-empty language attribute; let the script block's type string
 		 * > be the concatenation of "text/" and the value of el's language attribute.
 		 */
-		$type_string = $type_attr ? trim( $type_attr, " \t\f\r\n" ) : "text/{$language_attr}";
+		$type_string = null !== $type_attr ? trim( $type_attr, " \t\f\r\n" ) : "text/{$language_attr}";
 
 		/*
 		 * > If the script block's type string is a JavaScript MIME type essence match, then
@@ -4048,10 +4044,10 @@ public function is_javascript_script_tag(): bool {
 		}
 
 		/*
-		 * > - Otherwise, if the script block's type string is an ASCII case-insensitive match for
-		 * >   the string "importmap", then set el's type to "importmap".
+		 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "importmap", then set el's type to "importmap".
+		 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "speculationrules", then set el's type to "speculationrules".
 		 *
-		 * An importmap is JSON and not evaluated as JavaScript. This case is not handled here.
+		 * These conditions indicate JSON content.
 		 */
 
 		/*
@@ -4072,13 +4068,11 @@ public function is_json_script_tag(): bool {
 			return false;
 		}
 
-		$type_attr = $this->get_attribute( 'type' );
-
-		if ( empty( $type_attr ) || true === $type_attr ) {
+		$type = $this->get_attribute( 'type' );
+		if ( null === $type || true === $type || '' === $type ) {
 			return false;
 		}
-
-		$type_string = strtolower( trim( $type_attr, " \t\f\r\n" ) );
+		$type = strtolower( trim( $type, " \t\f\r\n" ) );
 
 		/*
 		 * > …
@@ -4095,10 +4089,10 @@ public function is_json_script_tag(): bool {
 		 * @see https://mimesniff.spec.whatwg.org/#json-mime-type
 		 */
 		if (
-			'application/json' === $type_string
-			|| 'importmap' === $type_string
-			|| 'speculationrules' === $type_string
-			|| 'text/json' === $type_string
+			'application/json' === $type
+			|| 'importmap' === $type
+			|| 'speculationrules' === $type
+			|| 'text/json' === $type
 		) {
 			return true;
 		}

From bcc02aee4e8f9a7a63305d6d8f790029bfcc7ab5 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:09:44 +0100
Subject: [PATCH 19/60] Fix svg SCRIPT tag tests

---
 tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
index 4f4577f8976a3..f874c5fb62847 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -137,6 +137,8 @@ public function test_is_javascript_script_tag_returns_false_before_finding_tags(
 	public function test_is_javascript_script_tag_returns_false_for_non_html_namespace() {
 		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
 		$processor->change_parsing_namespace( 'svg' );
+		$processor->next_tag();
+		$this->assertSame( 'SCRIPT', $processor->get_tag() );
 		$this->assertFalse(
 			$processor->is_javascript_script_tag(),
 			'Should return false for script tags in non-HTML namespace'
@@ -237,6 +239,7 @@ public function test_is_json_script_tag_returns_false_for_non_html_namespace() {
 		$processor = new WP_HTML_Tag_Processor( '<script></script>' );
 		$processor->change_parsing_namespace( 'svg' );
 		$processor->next_tag();
+		$this->assertSame( 'SCRIPT', $processor->get_tag() );
 		$this->assertFalse(
 			$processor->is_json_script_tag(),
 			'Should return false for script tags in non-HTML namespace'

From ea034418ec21dc2fe03decd2951debaa6387acee Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:13:44 +0100
Subject: [PATCH 20/60] Add todo on MIME type parsing

---
 .../html-api/class-wp-html-tag-processor.php          | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 41baefc50891d..ae5721114bf69 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4083,16 +4083,15 @@ public function is_json_script_tag(): bool {
 		 * > A JSON MIME type is any MIME type whose subtype ends in "+json" or whose essence
 		 * > is "application/json" or "text/json".
 		 *
-		 * The JSON subtype ending in "+json" is not currently handled due to lack
-		 * of a MIME type parser.
+		 * @todo The JSON MIME type handling handles some common cases but when MIME type parsing is available it should be leveraged here.
 		 *
 		 * @see https://mimesniff.spec.whatwg.org/#json-mime-type
 		 */
 		if (
-			'application/json' === $type
-			|| 'importmap' === $type
-			|| 'speculationrules' === $type
-			|| 'text/json' === $type
+			'importmap' === $type ||
+			'speculationrules' === $type ||
+			'application/json' === $type ||
+			'text/json' === $type
 		) {
 			return true;
 		}

From c7d18272965fdfb75416784dcecee8597bc3ceb4 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:13:59 +0100
Subject: [PATCH 21/60] =?UTF-8?q?Update=20since=20tags=20=F0=9F=A4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index ae5721114bf69..4ae168218bdd9 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3948,7 +3948,7 @@ static function ( $tag_match ) {
 	 *
 	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
 	 *
-	 * @since {WP_VERSION}
+	 * @since 7.0.0
 	 *
 	 * @return bool True if the script tag will be evaluated as JavaScript.
 	 */
@@ -4059,7 +4059,7 @@ public function is_javascript_script_tag(): bool {
 	/**
 	 * Indicates if the currently matched tag is a JSON script tag.
 	 *
-	 * @since {WP_VERSION}
+	 * @since 7.0.0
 	 *
 	 * @return bool True if the script tag should be treated as JSON.
 	 */

From a134e822990abdbc1da90a3a82cfcc9420a309c8 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:18:39 +0100
Subject: [PATCH 22/60] Make is_{javascript,json}_script_tag methods private

---
 .../html-api/class-wp-html-tag-processor.php  |  4 +--
 .../html-api/wpHtmlTagProcessorScriptTag.php  | 32 +++++++++++++++----
 2 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 4ae168218bdd9..dc6d321d1722b 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3952,7 +3952,7 @@ static function ( $tag_match ) {
 	 *
 	 * @return bool True if the script tag will be evaluated as JavaScript.
 	 */
-	public function is_javascript_script_tag(): bool {
+	private function is_javascript_script_tag(): bool {
 		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
 			return false;
 		}
@@ -4063,7 +4063,7 @@ public function is_javascript_script_tag(): bool {
 	 *
 	 * @return bool True if the script tag should be treated as JSON.
 	 */
-	public function is_json_script_tag(): bool {
+	private function is_json_script_tag(): bool {
 		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
 			return false;
 		}
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
index f874c5fb62847..1ec67483ba9ff 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -23,9 +23,13 @@ class Tests_HtmlApi_WpHtmlTagProcessorScriptTag extends WP_UnitTestCase {
 	public function test_is_javascript_script_tag( string $html, bool $expected_result ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$processor->next_tag();
+
+		$result = ( function () {
+			return $this->is_javascript_script_tag();
+		} )->call( $processor );
 		$this->assertSame(
 			$expected_result,
-			$processor->is_javascript_script_tag(),
+			$result,
 			'Failed to correctly identify JavaScript script tag'
 		);
 	}
@@ -122,9 +126,11 @@ public static function data_is_javascript_script_tag(): array {
 	public function test_is_javascript_script_tag_returns_false_before_finding_tags() {
 		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
 		$processor->next_token();
-
+		$result = ( function () {
+			return $this->is_javascript_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_javascript_script_tag(),
+			$result,
 			'Should return false when not stopped on script tag'
 		);
 	}
@@ -139,8 +145,11 @@ public function test_is_javascript_script_tag_returns_false_for_non_html_namespa
 		$processor->change_parsing_namespace( 'svg' );
 		$processor->next_tag();
 		$this->assertSame( 'SCRIPT', $processor->get_tag() );
+		$result = ( function () {
+			return $this->is_javascript_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_javascript_script_tag(),
+			$result,
 			'Should return false for script tags in non-HTML namespace'
 		);
 	}
@@ -158,9 +167,12 @@ public function test_is_javascript_script_tag_returns_false_for_non_html_namespa
 	public function test_is_json_script_tag( string $html, bool $expected_result ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$processor->next_tag();
+		$result = ( function () {
+			return $this->is_json_script_tag();
+		} )->call( $processor );
 		$this->assertSame(
 			$expected_result,
-			$processor->is_json_script_tag(),
+			$result,
 			'Failed to correctly identify JSON script tag'
 		);
 	}
@@ -224,8 +236,11 @@ public static function data_is_json_script_tag(): array {
 	public function test_is_json_script_tag_returns_false_before_finding_tags() {
 		$processor = new WP_HTML_Tag_Processor( 'Just some text' );
 		$processor->next_token();
+		$result = ( function () {
+			return $this->is_json_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_json_script_tag(),
+			$result,
 			'Should return false when not stopped on script tag'
 		);
 	}
@@ -240,8 +255,11 @@ public function test_is_json_script_tag_returns_false_for_non_html_namespace() {
 		$processor->change_parsing_namespace( 'svg' );
 		$processor->next_tag();
 		$this->assertSame( 'SCRIPT', $processor->get_tag() );
+		$result = ( function () {
+			return $this->is_json_script_tag();
+		} )->call( $processor );
 		$this->assertFalse(
-			$processor->is_json_script_tag(),
+			$result,
 			'Should return false for script tags in non-HTML namespace'
 		);
 	}

From d4bd4b3c9adefc81c5b38febfb09f6bf789e6bb0 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:31:58 +0100
Subject: [PATCH 23/60] Add language whitespace test

---
 tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
index 1ec67483ba9ff..74a2021c01004 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -102,6 +102,9 @@ public static function data_is_javascript_script_tag(): array {
 			'Script tag with language="jscript"'         => array( '<script language="jscript"></script>', true ),
 			'Script tag with language="livescript"'      => array( '<script language="livescript"></script>', true ),
 
+			// Whitespace is not trimmed in the langauge attribute.
+			'Script tag with language=" javascript"'      => array( '<script language=" javascript"></script>', false ),
+
 			// Non-JavaScript script tags - should NOT be JavaScript.
 			'Script tag with importmap type'             => array( '<script type="importmap"></script>', false ),
 			'Script tag with speculationrules type'      => array( '<script type="speculationrules"></script>', false ),

From edae8d5875b069847c0398c7c3d614840414528e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 16:35:19 +0100
Subject: [PATCH 24/60] How'd that extra space get there, remove it!

---
 tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
index 74a2021c01004..9f89f78a2fcd4 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -103,7 +103,7 @@ public static function data_is_javascript_script_tag(): array {
 			'Script tag with language="livescript"'      => array( '<script language="livescript"></script>', true ),
 
 			// Whitespace is not trimmed in the langauge attribute.
-			'Script tag with language=" javascript"'      => array( '<script language=" javascript"></script>', false ),
+			'Script tag with language=" javascript"'     => array( '<script language=" javascript"></script>', false ),
 
 			// Non-JavaScript script tags - should NOT be JavaScript.
 			'Script tag with importmap type'             => array( '<script type="importmap"></script>', false ),

From 02ca3c03283e541d5075b1c96a63aa64223688bb Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 18:10:08 +0100
Subject: [PATCH 25/60] Name search parts

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index dc6d321d1722b..8172676e3a2f7 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3855,12 +3855,12 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 							 * 2: "s"
 							 * 3: "cript" + a trailing character that terminates a tag name.
 							 */
-							'~(</?)(s)(cript[\\t\\r\\n\\f />])~i',
+							'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[\\t\\r\\n\\f />])~i',
 							static function ( $matches ) {
-								$escaped_s_char = 's' === $matches[2]
+								$escaped_s_char = 's' === $matches['S_CHAR']
 									? '\\u0073'
 									: '\\u0053';
-								return "{$matches[1]}{$escaped_s_char}{$matches[3]}";
+								return "{$matches['HEAD']}{$escaped_s_char}{$matches['TAIL']}";
 							},
 							$plaintext_content
 						);

From d058a78416a60203170468a5b585df9fb55d7c10 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 19:31:28 +0100
Subject: [PATCH 26/60] Clean up escaping tests

---
 .../wpHtmlTagProcessorModifiableText.php      | 46 ++++++++++---------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index bd587149583a3..c9092bf609f65 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -544,7 +544,7 @@ public static function data_script_tag_text_updates(): array {
 	 * @ticket 64419
 	 */
 	public function test_complex_javascript_and_json_auto_escaping() {
-		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<h1>OK</h1>" );
+		$processor = new WP_HTML_Tag_Processor( "<script></script>\n<script></script>\n<hr>" );
 		$processor->next_tag( 'SCRIPT' );
 		$processor->set_attribute( 'type', 'importmap' );
 		$importmap_data = array(
@@ -558,27 +558,27 @@ public function test_complex_javascript_and_json_auto_escaping() {
 			JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS
 		);
 
-		$processor->set_modifiable_text( $importmap );
+		$processor->set_modifiable_text( "\n{$importmap}\n" );
 		$decoded_importmap = json_decode( $processor->get_modifiable_text(), true );
-		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
-		$this->assertEquals(
-			$importmap_data,
-			$decoded_importmap,
-			'Precondition failed: importmap JSON did not decode/encode as expected: ' . json_last_error_msg()
-		);
-
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode correctly.' );
+		$this->assertEquals( $importmap_data, $decoded_importmap );
 		$processor->next_tag( 'SCRIPT' );
 		$processor->set_attribute( 'type', 'module' );
 		$javascript = <<<'JS'
 import '</SCRIPT>\\<!--\\<script>';
 JS;
-		$processor->set_modifiable_text( $javascript );
+		$processor->set_modifiable_text( "\n{$javascript}\n" );
 
-		$expected     = <<<'HTML'
-<script type="importmap">{"imports":{"\u003C/SCRIPT>\\\u003C!--\\\u003Cscript>":"./script"}}</script>
-<script type="module">import '</\u0053CRIPT>\\<!--\\<\u0073cript>';</script>
-<h1>OK</h1>
+		$expected = <<<'HTML'
+<script type="importmap">
+{"imports":{"\u003C/SCRIPT>\\\u003C!--\\\u003Cscript>":"./script"}}
+</script>
+<script type="module">
+import '</\u0053CRIPT>\\<!--\\<\u0073cript>';
+</script>
+<hr>
 HTML;
+
 		$updated_html = $processor->get_updated_html();
 		$this->assertEqualHTML( $expected, $updated_html );
 
@@ -588,11 +588,11 @@ public function test_complex_javascript_and_json_auto_escaping() {
 		$this->assertSame( 'importmap', $processor->get_attribute( 'type' ) );
 		$importmap_json    = $processor->get_modifiable_text();
 		$decoded_importmap = json_decode( $importmap_json, true );
-		$this->assertSame( 'No error', json_last_error_msg() );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Importmap JSON failed to decode.' );
 		$this->assertEquals(
 			$importmap_data,
 			$decoded_importmap,
-			'Precondition failed: re-processed importmap JSON did not decode/encode as expected: ' . json_last_error_msg()
+			'JSON was not equal after re-processing updated HTML.'
 		);
 	}
 
@@ -603,21 +603,23 @@ public function test_json_auto_escaping() {
 		// This is not a typical JSON encoding or escaping, but it is valid.
 		$json_text             = '"Escaped BS: \\\\; Escaped BS+LT: \\\\<; Unescaped LT: <; Script closer: </script>"';
 		$expected_decoded_json = 'Escaped BS: \\; Escaped BS+LT: \\<; Unescaped LT: <; Script closer: </script>';
-		$decoded_json          = json_decode( $json_text, true );
-		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
+		$decoded_json          = json_decode( $json_text );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );
 		$this->assertSame(
 			$expected_decoded_json,
 			$decoded_json,
-			'Precondition failed: test JSON text did not decode as expected.'
+			'Decoded JSON did not match expected value.'
 		);
 
 		$processor = new WP_HTML_Tag_Processor( '<script type="application/json"></script>' );
 		$processor->next_tag( 'SCRIPT' );
 
-		$processor->set_modifiable_text( $json_text );
+		$processor->set_modifiable_text( "\n{$json_text}\n" );
 
 		$expected = <<<'HTML'
-<script type="application/json">"Escaped BS: \\; Escaped BS+LT: \\\u003C; Unescaped LT: \u003C; Script closer: \u003C/script>"</script>
+<script type="application/json">
+"Escaped BS: \\; Escaped BS+LT: \\\u003C; Unescaped LT: \u003C; Script closer: \u003C/script>"
+</script>
 HTML;
 
 		$updated_html = $processor->get_updated_html();
@@ -627,7 +629,7 @@ public function test_json_auto_escaping() {
 		$processor = new WP_HTML_Tag_Processor( $expected );
 		$processor->next_tag( 'SCRIPT' );
 		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true );
-		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'Precondition failed, JSON did not decode as expected: ' . json_last_error_msg() );
+		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );
 		$this->assertEquals(
 			$expected_decoded_json,
 			$decoded_json_from_html

From dfb63af78f4650001184db1e23a66afe289b218b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 19:35:44 +0100
Subject: [PATCH 27/60] Add ignore and todo tags to new private is_*_script_tag
 functions

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 8172676e3a2f7..a1dc6a1a96909 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3948,6 +3948,9 @@ static function ( $tag_match ) {
 	 *
 	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
 	 *
+	 * @ignore
+	 * @todo Consider a public API that is clear and general.
+	 *
 	 * @since 7.0.0
 	 *
 	 * @return bool True if the script tag will be evaluated as JavaScript.
@@ -4059,6 +4062,9 @@ private function is_javascript_script_tag(): bool {
 	/**
 	 * Indicates if the currently matched tag is a JSON script tag.
 	 *
+	 * @ignore
+	 * @todo Consider a public API that is clear and general.
+	 *
 	 * @since 7.0.0
 	 *
 	 * @return bool True if the script tag should be treated as JSON.

From 11f51c9e6078e45df7a5d540352abdbe94d41ba3 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 19:39:52 +0100
Subject: [PATCH 28/60] Improve example comment

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index a1dc6a1a96909..e5c13cbf12d71 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3820,9 +3820,10 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 * SCRIPT element from closing as expected, for example:
 				 *
 				 *     <script>
-				 *     // If this "<!--" then "<script>" the closing tag will not be recognized.
+				 *       // If "<!--" and "<script>" appear like this,
+				 *       // the following `</script>` close tag will not be recognized.
 				 *     </script>
-				 *     <h1>This appears inside the preceding SCRIPT element.</h1>
+				 *     <h1>This appears _inside_ the preceding SCRIPT element.</h1>
 				 *
 				 * The relevant state transitions happen on text like:
 				 *     1. <

From a3e0e27ce51fd4ccfeac114d227245cd45a4c734 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 19:43:07 +0100
Subject: [PATCH 29/60] Update regex comment with named groups

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index e5c13cbf12d71..5836fbd246b04 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3850,11 +3850,11 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(
 							/*
-							 * This case-insensitive pattern consists of three groups:
+							 * This case-insensitive pattern consists of three groups (in order):
 							 *
-							 * 1: "<" or "</"
-							 * 2: "s"
-							 * 3: "cript" + a trailing character that terminates a tag name.
+							 * HEAD:   "<" or "</"
+							 * S_CHAR: "s"
+							 * TAIL:   "cript" + a trailing tag name termination character
 							 */
 							'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[\\t\\r\\n\\f />])~i',
 							static function ( $matches ) {

From 288b95257abccbafc2a69c1e2777ca5cf971ab2d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 19:44:08 +0100
Subject: [PATCH 30/60] Add details to "other" failure to escape comment

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 5836fbd246b04..6edc091c72886 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3883,7 +3883,8 @@ static function ( $matches ) {
 						);
 					} else {
 						/*
-						 * Other types of script tags cannot be escaped safely.
+						 * Other types of script tags cannot be escaped safely because the type
+						 * of comment and escaping strategy are unknown.
 						 */
 						return false;
 					}

From a7495ddf145d0cf8047a166275e931d2d082e4d1 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 19:45:54 +0100
Subject: [PATCH 31/60] Improve consistency of comment quoting and
 differentiate types of double quotes

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 6edc091c72886..815ca4000346f 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3814,9 +3814,9 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				/*
 				 * SCRIPT tag contents can be dangerous.
 				 *
-				 * The text `</script>` could close the SCRIPT element prematurely.
+				 * The text "</script>" could close the SCRIPT element prematurely.
 				 *
-				 * The text `<script>` could enter the "script data double escaped state", preventing the
+				 * The text "<script>" could enter the “script data double escaped state”, preventing the
 				 * SCRIPT element from closing as expected, for example:
 				 *
 				 *     <script>

From 614916ded2fb3afacf29d7e0f2e5e0c2b8f9a6a2 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:09:59 +0100
Subject: [PATCH 32/60] Describe JavaScript escaping strategy in detail

---
 .../html-api/class-wp-html-tag-processor.php  | 42 ++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 815ca4000346f..d9e53ecce7a1d 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3845,7 +3845,47 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					false !== stripos( $plaintext_content, '<script' )
 				) {
 					/*
-					 * JavaScript can be safely escaped.
+					 * JavaScript can be safely escaped with a few exceptions. This is achieved by
+					 * replacing dangerous sequences like "<script" and "</script" with a form
+					 * using a Unicode escape sequence "<\u0073cript>" and "</\u0073cript>".
+					 *
+					 * `<script` and `</script` appear in JavaScript source code in limited places,
+					 * all of which support a Unicode escape sequence on the "s" character.
+					 * JavaScript identifiers, string literals, template literals, and RegExp
+					 * literals all support Unicode escape sequences, meaning that the escaped form
+					 * is indistinguishable from the unescaped form when the JavaScript
+					 * is evaluated.
+					 *
+					 * There are a few exceptions where the escaped form can be detected:
+					 *
+					 * - The escaped form would appear in any JavaScript comments.
+					 * - “Raw” strings via `String.raw()` or the `raw` property of the first
+					 *   argument to a tagged template literal exposes the raw form, revealing any
+					 *   escaping that has been applied.
+					 * - The `source` property of a RegExp object reveals an escaped form the of
+					 *   the pattern.
+					 *
+					 * For JavaScript that needs to avoid these issues, workarounds may
+					 * be available. For example:
+					 *
+					 *      // Instead of:
+					 *      const rawStringWillBeEscaped = String.raw`</script>`;
+					 *
+					 *      // This will yield the same result with no escaping required:
+					 *      const rawStringWillBePreserved = String.raw`</scr` + String.raw`ipt>`;
+					 *
+					 *      // After the escaping has been applied and the JavaScript evaluated,
+					 *      // these are the resulting values:
+					 *      rawStringWillBeEscaped;  // "</\\u0073cript>"
+					 *      rawStringWillBePreserve; // "</script>"
+					 *
+					 *
+					 * Escaping is applied only where strictly necessary, reducing the likelyhood
+					 * that observable differences manifest in the escaped JavaScript.
+					 *
+					 * The alternatives are to reject JavaScript that could be safely escaped in
+					 * a majority of cases or to relax restrictions in ways that produce dangerous
+					 * or broken HTML documents, neither are desirable.
 					 */
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(

From d8c320c9ad8cb97ae08f569b7835c9b9284debe7 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:09:59 +0100
Subject: [PATCH 33/60] Describe JavaScript escaping strategy in detail

Explain caveats and hint at workarounds.
---
 .../html-api/class-wp-html-tag-processor.php  | 43 ++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 815ca4000346f..0594c9a94888c 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3845,7 +3845,48 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					false !== stripos( $plaintext_content, '<script' )
 				) {
 					/*
-					 * JavaScript can be safely escaped.
+					 * JavaScript can be safely escaped with a few exceptions. This is achieved by
+					 * replacing dangerous sequences like "<script" and "</script" with a form
+					 * using a Unicode escape sequence "<\u0073cript>" and "</\u0073cript>".
+					 *
+					 * `<script` and `</script` appear in JavaScript source code in limited places,
+					 * all of which support a Unicode escape sequence on the "s" character.
+					 * JavaScript identifiers, string literals, template literals, and RegExp
+					 * literals all support Unicode escape sequences, meaning that the escaped form
+					 * is indistinguishable from the unescaped form when the JavaScript
+					 * is evaluated.
+					 *
+					 * There are a few exceptions where the escaped form can be detected:
+					 *
+					 * - The escaped form would appear in any JavaScript comments.
+					 * - “Raw” strings via `String.raw()` or the `raw` property of the first
+					 *   argument to a tagged template literal exposes the raw form, revealing any
+					 *   escaping that has been applied.
+					 * - The `source` property of a RegExp object reveals an escaped form the of
+					 *   the pattern.
+					 *
+					 * For JavaScript that needs to avoid these issues, workarounds may
+					 * be available. For example:
+					 *
+					 *      // Instead of this:
+					 *      const rawStringWillBeEscaped = String.raw`</script>`;
+					 *
+					 *      // This is a safe alternative:
+					 *      const rawStringWillBePreserved = String.raw`</scr` + String.raw`ipt>`;
+					 *
+					 * After escaping, the JavaScript result looks like this:
+					 *
+					 *      const rawStringWillBeEscaped = String.raw`</\u0073cript>`;
+					 *      // Evaluates to `'</\\u0073cript>'`.
+					 *
+					 *      const rawStringWillBePreserved = String.raw`</scr` + String.raw`ipt>`;
+					 *      // Evaluates to `'</script>'`.
+					 *
+					 * Escaping is applied only where strictly necessary, reducing the likelyhood
+					 * that observable differences manifest in the escaped JavaScript.
+					 *
+					 * This escaping strategy strikes will make ALL JavaScript safe to embed in
+					 * HTML in a way that is completely transparent in most cases.
 					 */
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(

From 369eefca268be79f5612e1b48a186e5fd4d9f288 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:39:13 +0100
Subject: [PATCH 34/60] Use the updated_html value in round-trip test

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index c9092bf609f65..132bb6bbad495 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -582,7 +582,7 @@ public function test_complex_javascript_and_json_auto_escaping() {
 		$updated_html = $processor->get_updated_html();
 		$this->assertEqualHTML( $expected, $updated_html );
 
-		// Re-process and verify the JSON is correct.
+		// Reprocess to ensure JSON survives HTML round-trip:
 		$processor = new WP_HTML_Tag_Processor( $updated_html );
 		$processor->next_tag( 'SCRIPT' );
 		$this->assertSame( 'importmap', $processor->get_attribute( 'type' ) );
@@ -625,8 +625,8 @@ public function test_json_auto_escaping() {
 		$updated_html = $processor->get_updated_html();
 		$this->assertEqualHTML( $expected, $updated_html );
 
-		// Reprocess to ensure JSON value survives HTML round trip:
-		$processor = new WP_HTML_Tag_Processor( $expected );
+		// Reprocess to ensure JSON value survives HTML round-trip:
+		$processor = new WP_HTML_Tag_Processor( $updated_html );
 		$processor->next_tag( 'SCRIPT' );
 		$decoded_json_from_html = json_decode( $processor->get_modifiable_text(), true );
 		$this->assertSame( JSON_ERROR_NONE, json_last_error(), 'JSON failed to decode.' );

From 2869880bd372312e0b4657e98b8daeb5b7a887c2 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:43:50 +0100
Subject: [PATCH 35/60] Revert changes to wp_add_inline_script

This is not a necessary part of these changes
---
 src/wp-includes/functions.wp-scripts.php | 41 +++++++-----------------
 1 file changed, 12 insertions(+), 29 deletions(-)

diff --git a/src/wp-includes/functions.wp-scripts.php b/src/wp-includes/functions.wp-scripts.php
index e59ab6b7d39a9..f86b456d5f69a 100644
--- a/src/wp-includes/functions.wp-scripts.php
+++ b/src/wp-includes/functions.wp-scripts.php
@@ -130,35 +130,18 @@ function wp_print_scripts( $handles = false ) {
 function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 	_wp_scripts_maybe_doing_it_wrong( __FUNCTION__, $handle );
 
-	/*
-	 * Check whether the script data appears to be enclosed in an HTML <script> tag.
-	 */
-	if (
-		/*
-		 * Detect a SCRIPT tag inside the provided script data.
-		 * $data must be sufficiently long and start with "<script" (case-insensitive),
-		 * followed by a tag name termination character.
-		 */
-		strlen( $data ) >= 17
-		&& 0 === substr_compare( $data, '<script', 0, 7, true )
-		&& 1 === strspn( $data, "\t\n\r\f />", 7, 1 )
-	) {
-		// Try to parse and extract the script contents.
-		$processor = new WP_HTML_Tag_Processor( $data );
-		$processor->next_token();
-		if ( $processor->get_tag() === 'SCRIPT' ) {
-			_doing_it_wrong(
-				__FUNCTION__,
-				sprintf(
-					/* translators: 1: <script>, 2: wp_add_inline_script() */
-					__( 'Do not pass %1$s tags to %2$s.' ),
-					'<code>&lt;script&gt;</code>',
-					'<code>wp_add_inline_script()</code>'
-				),
-				'4.5.0'
-			);
-			$data = $processor->get_modifiable_text();
-		}
+	if ( false !== stripos( $data, '</script>' ) ) {
+		_doing_it_wrong(
+			__FUNCTION__,
+			sprintf(
+				/* translators: 1: <script>, 2: wp_add_inline_script() */
+				__( 'Do not pass %1$s tags to %2$s.' ),
+				'<code>&lt;script&gt;</code>',
+				'<code>wp_add_inline_script()</code>'
+			),
+			'4.5.0'
+		);
+		$data = trim( preg_replace( '#<script[^>]*>(.*)</script>#is', '$1', $data ) );
 	}
 
 	return wp_scripts()->add_inline_script( $handle, $data, $position );

From d6bfdca5f937ec91f5d5ab25fc9159a85a55d4c9 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:45:33 +0100
Subject: [PATCH 36/60] Remove debugging assertions

---
 src/wp-includes/script-loader.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 231fb11457a4f..85467be044543 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -3030,10 +3030,10 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	$processor->next_tag();
 	foreach ( $attributes as $name => $value ) {
 		if ( is_string( $value ) || true === $value ) {
-			assert( $processor->set_attribute( $name, $value ) );
+			$processor->set_attribute( $name, $value );
 		}
 	}
-	assert( $processor->set_modifiable_text( $data ) );
+	$processor->set_modifiable_text( $data );
 	return $processor->get_updated_html();
 }
 

From b7099e40fea4d0f9a8bbc2c3f3a52288363f4404 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:46:51 +0100
Subject: [PATCH 37/60] fixup! Revert changes to wp_add_inline_script

---
 tests/phpunit/tests/dependencies/scripts.php | 52 --------------------
 1 file changed, 52 deletions(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index f9d8a18aa3376..a3c8b92695f4f 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -4122,56 +4122,4 @@ public function test_wp_scripts_doing_it_wrong_for_missing_dependencies() {
 			'Expected _doing_it_wrong() notice to indicate missing dependencies for enqueued script.'
 		);
 	}
-
-	/**
-	 * @ticket TBD
-	 * @covers ::wp_add_inline_script
-	 */
-	public function test_gnarly_inline_script_requires_escaping() {
-		$this->add_html5_script_theme_support();
-		wp_enqueue_script( 'test-inline-script-after', 'http://example.org/script.js', array(), null );
-		$javascript = <<<'JS'
-var script;
-0</script/>0;'<!--';console.assert(1<script>=0);
-JS;
-		wp_add_inline_script( 'test-inline-script-after', $javascript, 'after' );
-		$output   = get_echo( 'wp_print_scripts' );
-		$expected = <<<'HTML'
-<script src="http://example.org/script.js" id="test-inline-script-after-js"></script>
-<script id="test-inline-script-after-js-after">
-var script;
-0</\u0073cript/>0;'<!--';console.assert(1<\u0073cript>=0);
-//# sourceURL=test-inline-script-after-js-after
-</script>
-HTML;
-
-		$this->assertEqualHTML( $expected, $output );
-	}
-
-	/**
-	 * @ticket TBD
-	 * @covers ::wp_add_inline_script
-	 *
-	 * @expectedIncorrectUsage wp_add_inline_script
-	 */
-	public function test_gnarly_inline_script_requires_escaping_with_wrapper() {
-		$this->add_html5_script_theme_support();
-		wp_enqueue_script( 'test-inline-script-after', 'http://example.org/script.js', array(), null );
-		$javascript = <<<'JS'
-<script>
-// Uh oh:</script>
-</script>
-JS;
-		wp_add_inline_script( 'test-inline-script-after', $javascript, 'after' );
-		$output   = get_echo( 'wp_print_scripts' );
-		$expected = <<<'HTML'
-<script src="http://example.org/script.js" id="test-inline-script-after-js"></script>
-<script id="test-inline-script-after-js-after">
-// Uh oh:
-//# sourceURL=test-inline-script-after-js-after
-</script>
-HTML;
-
-		$this->assertEqualHTML( $expected, $output );
-	}
 }

From 010a2a2309623bea863557dc43b8271b5dbb5f97 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 21:17:56 +0100
Subject: [PATCH 38/60] Switch to assertEqualHTML assertions

---
 tests/phpunit/tests/dependencies/scripts.php     |  6 ++----
 tests/phpunit/tests/dependencies/wpScriptTag.php | 10 +++++-----
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index a3c8b92695f4f..b04388deb0bd3 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -1558,15 +1558,13 @@ public function test_loading_strategy_with_valid_blocking_registration() {
 		wp_enqueue_script( 'main-script-b1', '/main-script-b1.js', array(), null );
 		$output   = get_echo( 'wp_print_scripts' );
 		$expected = "<script type='text/javascript' src='/main-script-b1.js' id='main-script-b1-js'></script>\n";
-		$expected = str_replace( "'", '"', $expected );
-		$this->assertSame( $expected, $output, 'Scripts registered with a "blocking" strategy, and who have no dependencies, should have no loading strategy attributes printed.' );
+		$this->assertEqualHTML( $expected, $output, '<body>', 'Scripts registered with a "blocking" strategy, and who have no dependencies, should have no loading strategy attributes printed.' );
 
 		// strategy args not set.
 		wp_enqueue_script( 'main-script-b2', '/main-script-b2.js', array(), null, array() );
 		$output   = get_echo( 'wp_print_scripts' );
 		$expected = "<script type='text/javascript' src='/main-script-b2.js' id='main-script-b2-js'></script>\n";
-		$expected = str_replace( "'", '"', $expected );
-		$this->assertSame( $expected, $output, 'Scripts registered with no strategy assigned, and who have no dependencies, should have no loading strategy attributes printed.' );
+		$this->assertEqualHTML( $expected, $output, '<body>', 'Scripts registered with no strategy assigned, and who have no dependencies, should have no loading strategy attributes printed.' );
 	}
 
 	/**
diff --git a/tests/phpunit/tests/dependencies/wpScriptTag.php b/tests/phpunit/tests/dependencies/wpScriptTag.php
index ee273f8fb3687..ea963a383b29e 100644
--- a/tests/phpunit/tests/dependencies/wpScriptTag.php
+++ b/tests/phpunit/tests/dependencies/wpScriptTag.php
@@ -11,7 +11,7 @@ class Tests_Functions_wpScriptTag extends WP_UnitTestCase {
 	public function get_script_tag_type_set() {
 		add_theme_support( 'html5', array( 'script' ) );
 
-		$this->assertSame(
+		$this->assertEqualHTML(
 			'<script src="https://localhost/PATH/FILE.js" type="application/javascript" nomodule></script>' . "\n",
 			wp_get_script_tag(
 				array(
@@ -25,7 +25,7 @@ public function get_script_tag_type_set() {
 
 		remove_theme_support( 'html5' );
 
-		$this->assertSame(
+		$this->assertEqualHTML(
 			'<script src="https://localhost/PATH/FILE.js" type="application/javascript" nomodule></script>' . "\n",
 			wp_get_script_tag(
 				array(
@@ -44,7 +44,7 @@ public function get_script_tag_type_set() {
 	public function test_get_script_tag_type_not_set() {
 		add_theme_support( 'html5', array( 'script' ) );
 
-		$this->assertSame(
+		$this->assertEqualHTML(
 			'<script src="https://localhost/PATH/FILE.js" nomodule></script>' . "\n",
 			wp_get_script_tag(
 				array(
@@ -80,7 +80,7 @@ static function ( $attributes ) {
 			'nomodule' => true,
 		);
 
-		$this->assertSame(
+		$this->assertEqualHTML(
 			wp_get_script_tag( $attributes ),
 			get_echo(
 				'wp_print_script_tag',
@@ -90,7 +90,7 @@ static function ( $attributes ) {
 
 		remove_theme_support( 'html5' );
 
-		$this->assertSame(
+		$this->assertEqualHTML(
 			wp_get_script_tag( $attributes ),
 			get_echo(
 				'wp_print_script_tag',

From ab53486b6932092526e3308300b629dd3595301e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 21:18:39 +0100
Subject: [PATCH 39/60] Update defer/async boolean attributes

---
 tests/phpunit/tests/dependencies/scripts.php | 52 ++++++++++----------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index b04388deb0bd3..600675d477ba7 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -224,7 +224,7 @@ public function test_loading_strategy_with_valid_async_registration() {
 		// No dependents, No dependencies then async.
 		wp_enqueue_script( 'main-script-a1', '/main-script-a1.js', array(), null, array( 'strategy' => 'async' ) );
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = "<script type='text/javascript' src='/main-script-a1.js' id='main-script-a1-js' async='async' data-wp-strategy='async'></script>\n";
+		$expected = "<script type='text/javascript' src='/main-script-a1.js' id='main-script-a1-js' async data-wp-strategy='async'></script>\n";
 		$this->assertEqualHTML( $expected, $output, '<body>', 'Scripts enqueued with an async loading strategy are failing to have the async attribute applied to the script handle when being printed.' );
 	}
 
@@ -1010,7 +1010,7 @@ public function data_provider_to_test_various_strategy_dependency_chains() {
 //# sourceURL=defer-with-before-inline-js-before
 /* ]]> */
 </script>
-<script type='text/javascript' src='https://example.com/external.js?script_event_log=defer-with-before-inline:%20script' id='defer-with-before-inline-js' defer='defer' data-wp-strategy='defer'></script>
+<script type='text/javascript' src='https://example.com/external.js?script_event_log=defer-with-before-inline:%20script' id='defer-with-before-inline-js' defer data-wp-strategy='defer'></script>
 HTML
 				,
 			),
@@ -1043,9 +1043,9 @@ public function data_provider_to_test_various_strategy_dependency_chains() {
 					wp_enqueue_script( 'theme-functions', 'https://example.com/theme-functions.js', array( 'jquery' ), null, array( 'strategy' => 'defer' ) );
 				},
 				'expected_markup' => <<<HTML
-<script type='text/javascript' src='http://$wp_tests_domain/wp-includes/js/jquery/jquery.js' id='jquery-core-js' defer='defer' data-wp-strategy='defer'></script>
-<script type='text/javascript' src='http://$wp_tests_domain/wp-includes/js/jquery/jquery-migrate.js' id='jquery-migrate-js' defer='defer' data-wp-strategy='defer'></script>
-<script type='text/javascript' src='https://example.com/theme-functions.js' id='theme-functions-js' defer='defer' data-wp-strategy='defer'></script>
+<script type='text/javascript' src='http://$wp_tests_domain/wp-includes/js/jquery/jquery.js' id='jquery-core-js' defer data-wp-strategy='defer'></script>
+<script type='text/javascript' src='http://$wp_tests_domain/wp-includes/js/jquery/jquery-migrate.js' id='jquery-migrate-js' defer data-wp-strategy='defer'></script>
+<script type='text/javascript' src='https://example.com/theme-functions.js' id='theme-functions-js' defer data-wp-strategy='defer'></script>
 HTML
 				,
 			),
@@ -1101,9 +1101,9 @@ public function data_provider_to_test_various_strategy_dependency_chains() {
 					$this->enqueue_test_script( 'defer-dependent-of-async-aliases', 'defer', array( $alias_handle ) );
 				},
 				'expected_markup' => <<<HTML
-<script type='text/javascript' src='https://example.com/external.js?script_event_log=async1:%20script' id='async1-js' defer='defer' data-wp-strategy='async'></script>
-<script type='text/javascript' src='https://example.com/external.js?script_event_log=async2:%20script' id='async2-js' defer='defer' data-wp-strategy='async'></script>
-<script type='text/javascript' src='https://example.com/external.js?script_event_log=defer-dependent-of-async-aliases:%20script' id='defer-dependent-of-async-aliases-js' defer='defer' data-wp-strategy='defer'></script>
+<script type='text/javascript' src='https://example.com/external.js?script_event_log=async1:%20script' id='async1-js' defer data-wp-strategy='async'></script>
+<script type='text/javascript' src='https://example.com/external.js?script_event_log=async2:%20script' id='async2-js' defer data-wp-strategy='async'></script>
+<script type='text/javascript' src='https://example.com/external.js?script_event_log=defer-dependent-of-async-aliases:%20script' id='defer-dependent-of-async-aliases-js' defer data-wp-strategy='defer'></script>
 HTML
 				,
 			),
@@ -1234,10 +1234,10 @@ public function test_defer_with_async_dependent() {
 		);
 		// Note: All of these scripts have fetchpriority=high because the leaf dependent script has that fetch priority.
 		$output    = get_echo( 'wp_print_scripts' );
-		$expected  = "<script type='text/javascript' src='/main-script-d4.js'        id='main-script-d4-js'        defer='defer' data-wp-strategy='defer' fetchpriority='high' data-wp-fetchpriority='auto'></script>\n";
-		$expected .= "<script type='text/javascript' src='/dependent-script-d4-1.js' id='dependent-script-d4-1-js' defer='defer' data-wp-strategy='defer' fetchpriority='high' data-wp-fetchpriority='auto'></script>\n";
-		$expected .= "<script type='text/javascript' src='/dependent-script-d4-2.js' id='dependent-script-d4-2-js' defer='defer' data-wp-strategy='async' fetchpriority='high' data-wp-fetchpriority='low'></script>\n";
-		$expected .= "<script type='text/javascript' src='/dependent-script-d4-3.js' id='dependent-script-d4-3-js' defer='defer' data-wp-strategy='defer' fetchpriority='high'></script>\n";
+		$expected  = "<script type='text/javascript' src='/main-script-d4.js'        id='main-script-d4-js'        defer data-wp-strategy='defer' fetchpriority='high' data-wp-fetchpriority='auto'></script>\n";
+		$expected .= "<script type='text/javascript' src='/dependent-script-d4-1.js' id='dependent-script-d4-1-js' defer data-wp-strategy='defer' fetchpriority='high' data-wp-fetchpriority='auto'></script>\n";
+		$expected .= "<script type='text/javascript' src='/dependent-script-d4-2.js' id='dependent-script-d4-2-js' defer data-wp-strategy='async' fetchpriority='high' data-wp-fetchpriority='low'></script>\n";
+		$expected .= "<script type='text/javascript' src='/dependent-script-d4-3.js' id='dependent-script-d4-3-js' defer data-wp-strategy='defer' fetchpriority='high'></script>\n";
 
 		$this->assertEqualHTML( $expected, $output, '<body>', 'Scripts registered as defer but that have dependents that are async are expected to have said dependents deferred.' );
 	}
@@ -1500,7 +1500,7 @@ public function test_printing_default_script_comment_reply_enqueued_or_not_enque
 
 		$this->assertEqualHTML(
 			sprintf(
-				'<script type="text/javascript" src="%s" id="comment-reply-js" async="async" data-wp-strategy="async" fetchpriority="low"></script>',
+				'<script type="text/javascript" src="%s" id="comment-reply-js" async data-wp-strategy="async" fetchpriority="low"></script>',
 				includes_url( 'js/comment-reply.js' )
 			),
 			$markup
@@ -1850,7 +1850,7 @@ public function test_concatenate_with_defer_strategy() {
 		$print_scripts = get_echo( '_print_scripts' );
 
 		$expected  = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=one-concat-dep,two-concat-dep,three-concat-dep&amp;ver={$wp_version}'></script>\n";
-		$expected .= "<script type='text/javascript' src='/main-script.js' id='main-defer-script-js' defer='defer' data-wp-strategy='defer'></script>\n";
+		$expected .= "<script type='text/javascript' src='/main-script.js' id='main-defer-script-js' defer data-wp-strategy='defer'></script>\n";
 
 		$this->assertEqualHTML( $expected, $print_scripts, '<body>', 'Scripts are being incorrectly concatenated when a main script is registered with a "defer" loading strategy. Deferred scripts should not be part of the script concat loading query.' );
 	}
@@ -1881,7 +1881,7 @@ public function test_concatenate_with_async_strategy() {
 		$print_scripts = get_echo( '_print_scripts' );
 
 		$expected  = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=one-concat-dep-1,two-concat-dep-1,three-concat-dep-1&amp;ver={$wp_version}'></script>\n";
-		$expected .= "<script type='text/javascript' src='/main-script.js' id='main-async-script-1-js' async='async' data-wp-strategy='async'></script>\n";
+		$expected .= "<script type='text/javascript' src='/main-script.js' id='main-async-script-1-js' async data-wp-strategy='async'></script>\n";
 
 		$this->assertEqualHTML( $expected, $print_scripts, '<body>', 'Scripts are being incorrectly concatenated when a main script is registered with an "async" loading strategy. Async scripts should not be part of the script concat loading query.' );
 	}
@@ -1916,7 +1916,7 @@ public function test_concatenate_with_blocking_script_before_and_after_script_wi
 		$print_scripts = get_echo( '_print_scripts' );
 
 		$expected  = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=one-concat-dep-2,two-concat-dep-2,three-concat-dep-2,four-concat-dep-2,five-concat-dep-2,six-concat-dep-2&amp;ver={$wp_version}'></script>\n";
-		$expected .= "<script type='text/javascript' src='/main-script.js' id='deferred-script-2-js' defer='defer' data-wp-strategy='defer'></script>\n";
+		$expected .= "<script type='text/javascript' src='/main-script.js' id='deferred-script-2-js' defer data-wp-strategy='defer'></script>\n";
 
 		$this->assertEqualHTML( $expected, $print_scripts, '<body>', 'Scripts are being incorrectly concatenated when a main script is registered as deferred after other blocking scripts are registered. Deferred scripts should not be part of the script concat loader query string. ' );
 	}
@@ -3697,10 +3697,10 @@ public function data_provider_script_move_to_footer() {
 					);
 				},
 				'expected_header'    => '
-					<script type="text/javascript" src="https://example.com/script-a.js" id="script-a-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-a.js" id="script-a-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_footer'    => '
-					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_in_footer' => array(
 					'script-b',
@@ -3747,12 +3747,12 @@ public function data_provider_script_move_to_footer() {
 					);
 				},
 				'expected_header'    => '
-					<script type="text/javascript" src="https://example.com/script-a.js" id="script-a-js" defer="defer" data-wp-strategy="defer"></script>
-					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-a.js" id="script-a-js" defer data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_footer'    => '
-					<script type="text/javascript" src="https://example.com/script-c.js" id="script-c-js" defer="defer" data-wp-strategy="defer"></script>
-					<script type="text/javascript" src="https://example.com/script-d.js" id="script-d-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-c.js" id="script-c-js" defer data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-d.js" id="script-d-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_in_footer' => array(
 					'script-c',
@@ -3795,9 +3795,9 @@ public function data_provider_script_move_to_footer() {
 				'expected_header'    => '',
 				'expected_footer'    => '
 					<script type="text/javascript" src="https://example.com/script-a.js" id="script-a-js" data-wp-strategy="defer"></script>
-					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer data-wp-strategy="defer"></script>
 					<script type="text/javascript" src="https://example.com/script-c.js" id="script-c-js"></script>
-					<script type="text/javascript" src="https://example.com/script-d.js" id="script-d-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-d.js" id="script-d-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_in_footer' => array(
 					'script-a',
@@ -3842,11 +3842,11 @@ public function data_provider_script_move_to_footer() {
 				},
 				'expected_header'    => '
 					<script type="text/javascript" src="https://example.com/script-a.js" id="script-a-js" data-wp-strategy="defer"></script>
-					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-b.js" id="script-b-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_footer'    => '
 					<script type="text/javascript" src="https://example.com/script-c.js" id="script-c-js"></script>
-					<script type="text/javascript" src="https://example.com/script-d.js" id="script-d-js" defer="defer" data-wp-strategy="defer"></script>
+					<script type="text/javascript" src="https://example.com/script-d.js" id="script-d-js" defer data-wp-strategy="defer"></script>
 				',
 				'expected_in_footer' => array(
 					'script-c',

From 3ba22674ee269db7171d4baef6ac169641c27148 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:19:31 +0100
Subject: [PATCH 40/60] Use Tag Processor in wp_get_script_Tag

---
 src/wp-includes/script-loader.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 85467be044543..0137c6c0ef8f7 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -2923,7 +2923,14 @@ function wp_get_script_tag( $attributes ) {
 	 */
 	$attributes = apply_filters( 'wp_script_attributes', $attributes );
 
-	return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
+	$processor = new WP_HTML_Tag_Processor( "<script></script>\n" );
+	$processor->next_tag();
+	foreach ( $attributes as $name => $value ) {
+		if ( is_string( $value ) || true === $value ) {
+			$processor->set_attribute( $name, $value );
+		}
+	}
+	return $processor->get_updated_html();
 }
 
 /**

From 64a23b70c51f9fef866954ac1b4bca0ea39457e3 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:19:57 +0100
Subject: [PATCH 41/60] Add utility for semantically comparing a SCRIPT tag
 within HTML

---
 tests/phpunit/tests/dependencies/scripts.php | 22 ++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index 600675d477ba7..040c7015d292a 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -69,6 +69,28 @@ public function tear_down() {
 		parent::tear_down();
 	}
 
+	private function assertEqualHTMLScriptTagById( string $expected, string $html, ?string $message ) {
+		$find_id_tag_processor = new WP_HTML_Tag_Processor( $expected );
+		$find_id_tag_processor->next_token();
+		$id = $find_id_tag_processor->get_attribute( 'id' );
+		assert( is_string( $id ) );
+
+		$processor = ( new class('', WP_HTML_Processor::CONSTRUCTOR_UNLOCK_CODE ) extends WP_HTML_Processor {
+			public function get_script_html() {
+				assert( 'SCRIPT' === $this->get_tag() );
+				$this->set_bookmark( 'here' );
+				$span = $this->bookmarks['_here'];
+				return substr( $this->html, $span->start, $span->length );
+			}
+		} )::create_fragment( $html );
+
+		while ( $processor->next_tag( 'SCRIPT' ) && $processor->get_attribute( 'id' ) !== $id ) {
+			// Loop until we find the right script tag.
+		}
+		$this->assertSame( 'SCRIPT', $processor->get_tag(), "Matching tag `script#{$id}` could not be found." );
+		$this->assertEqualHTML( $expected, $processor->get_script_html(), '<body>', $message );
+	}
+
 	/**
 	 * Test versioning
 	 *

From c92082185cbb64a0f8dc5c46f05f21ad4819e120 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:22:04 +0100
Subject: [PATCH 42/60] Use script tag comparison in tests

---
 tests/phpunit/tests/dependencies/scripts.php | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index 040c7015d292a..3968b25774459 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -316,8 +316,8 @@ public function test_delayed_dependent_with_blocking_dependency_not_enqueued( $s
 		// This dependent is registered but not enqueued, so it should not factor into the eligible loading strategy.
 		wp_register_script( 'dependent-script-a4', '/dependent-script-a4.js', array( 'main-script-a4' ), null );
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = str_replace( "'", '"', "<script src='/main-script-a4.js' id='main-script-a4-js' {$strategy} data-wp-strategy='{$strategy}'></script>" );
-		$this->assertStringContainsString( $expected, $output, 'Only enqueued dependents should affect the eligible strategy.' );
+		$expected = "<script src='/main-script-a4.js' id='main-script-a4-js' {$strategy} data-wp-strategy='{$strategy}'></script>";
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Only enqueued dependents should affect the eligible strategy.' );
 	}
 
 	/**
@@ -1164,8 +1164,8 @@ public function test_loading_strategy_with_defer_having_no_dependents_nor_depend
 		$this->add_html5_script_theme_support();
 		wp_enqueue_script( 'main-script-d1', 'http://example.com/main-script-d1.js', array(), null, array( 'strategy' => 'defer' ) );
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = str_replace( "'", '"', "<script src='http://example.com/main-script-d1.js' id='main-script-d1-js' defer data-wp-strategy='defer'></script>\n" );
-		$this->assertStringContainsString( $expected, $output, 'Expected defer, as there is no dependent or dependency' );
+		$expected = "<script src='http://example.com/main-script-d1.js' id='main-script-d1-js' defer data-wp-strategy='defer'></script>\n";
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Expected defer, as there is no dependent or dependency' );
 	}
 
 	/**
@@ -1185,7 +1185,7 @@ public function test_loading_strategy_with_defer_dependent_and_varied_dependenci
 		wp_enqueue_script( 'main-script-d2', 'http://example.com/main-script-d2.js', array( 'dependency-script-d2-1', 'dependency-script-d2-3' ), null, array( 'strategy' => 'defer' ) );
 		$output   = get_echo( 'wp_print_scripts' );
 		$expected = '<script src="http://example.com/main-script-d2.js" id="main-script-d2-js" defer data-wp-strategy="defer"></script>';
-		$this->assertStringContainsString( $expected, $output, 'Expected defer, as all dependencies are either deferred or blocking' );
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Expected defer, as all dependencies are either deferred or blocking' );
 	}
 
 	/**
@@ -1205,7 +1205,7 @@ public function test_loading_strategy_with_all_defer_dependencies() {
 		wp_enqueue_script( 'dependent-script-d3-3', 'http://example.com/dependent-script-d3-3.js', array( 'dependent-script-d3-2' ), null, array( 'strategy' => 'defer' ) );
 		$output   = get_echo( 'wp_print_scripts' );
 		$expected = '<script src="http://example.com/main-script-d3.js" id="main-script-d3-js" defer data-wp-strategy="defer"></script>';
-		$this->assertStringContainsString( $expected, $output, 'Expected defer, as all dependents have defer loading strategy' );
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Expected defer, as all dependents have defer loading strategy' );
 	}
 
 	/**
@@ -1561,9 +1561,10 @@ public function test_loading_strategy_with_invalid_defer_registration() {
 		wp_enqueue_script( 'dependent-script-d4-1', '/dependent-script-d4-1.js', array( 'main-script-d4' ), null, array( 'strategy' => 'defer' ) );
 		wp_enqueue_script( 'dependent-script-d4-2', '/dependent-script-d4-2.js', array( 'dependent-script-d4-1' ), null );
 		wp_enqueue_script( 'dependent-script-d4-3', '/dependent-script-d4-3.js', array( 'dependent-script-d4-2' ), null, array( 'strategy' => 'defer' ) );
+
 		$output   = get_echo( 'wp_print_scripts' );
-		$expected = str_replace( "'", '"', "<script type='text/javascript' src='/main-script-d4.js' id='main-script-d4-js' data-wp-strategy='defer'></script>\n" );
-		$this->assertStringContainsString( $expected, $output, 'Scripts registered as defer but that have all dependents with no strategy, should become blocking (no strategy).' );
+		$expected = "<script type='text/javascript' src='/main-script-d4.js' id='main-script-d4-js' data-wp-strategy='defer'></script>\n";
+		$this->assertEqualHTMLScriptTagById( $expected, $output, 'Scripts registered as defer but that have all dependents with no strategy, should become blocking (no strategy).' );
 	}
 
 	/**

From dbd9f55692d9d0bbd1399bf9abef3b493e9df79a Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:23:34 +0100
Subject: [PATCH 43/60] Remove more async=async and defer=defer

---
 tests/phpunit/tests/dependencies/scripts.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index 3968b25774459..af9bd294a76ad 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -217,9 +217,9 @@ public function test_before_inline_scripts_with_delayed_main_script( $strategy )
 				'id' => 'ds-i1-1-js-before',
 			)
 		);
-		$expected .= "<script type='text/javascript' src='http://example.org/ds-i1-1.js' id='ds-i1-1-js' {$strategy}='{$strategy}' data-wp-strategy='{$strategy}'></script>\n";
-		$expected .= "<script type='text/javascript' src='http://example.org/ds-i1-2.js' id='ds-i1-2-js' {$strategy}='{$strategy}' data-wp-strategy='{$strategy}'></script>\n";
-		$expected .= "<script type='text/javascript' src='http://example.org/ds-i1-3.js' id='ds-i1-3-js' {$strategy}='{$strategy}' data-wp-strategy='{$strategy}'></script>\n";
+		$expected .= "<script type='text/javascript' src='http://example.org/ds-i1-1.js' id='ds-i1-1-js' {$strategy} data-wp-strategy='{$strategy}'></script>\n";
+		$expected .= "<script type='text/javascript' src='http://example.org/ds-i1-2.js' id='ds-i1-2-js' {$strategy} data-wp-strategy='{$strategy}'></script>\n";
+		$expected .= "<script type='text/javascript' src='http://example.org/ds-i1-3.js' id='ds-i1-3-js' {$strategy} data-wp-strategy='{$strategy}'></script>\n";
 		$expected .= wp_get_inline_script_tag(
 			"console.log('before last');\n//# sourceURL=ms-i1-1-js-before",
 			array(
@@ -227,7 +227,7 @@ public function test_before_inline_scripts_with_delayed_main_script( $strategy )
 				'type' => 'text/javascript',
 			)
 		);
-		$expected .= "<script type='text/javascript' src='http://example.org/ms-i1-1.js' id='ms-i1-1-js' {$strategy}='{$strategy}' data-wp-strategy='{$strategy}'></script>\n";
+		$expected .= "<script type='text/javascript' src='http://example.org/ms-i1-1.js' id='ms-i1-1-js' {$strategy} data-wp-strategy='{$strategy}'></script>\n";
 
 		$this->assertEqualHTML( $expected, $output, '<body>', 'Inline scripts in the "before" position, that are attached to a deferred main script, are failing to print/execute.' );
 	}
@@ -269,7 +269,7 @@ public function test_delayed_dependent_with_blocking_dependency( $strategy ) {
 		wp_enqueue_script( 'main-script-a2', '/main-script-a2.js', array( 'dependency-script-a2' ), null, compact( 'strategy' ) );
 		$output    = get_echo( 'wp_print_scripts' );
 		$expected  = "<script id='dependency-script-a2-js' src='/dependency-script-a2.js' type='text/javascript'></script>\n";
-		$expected .= "<script type='text/javascript' src='/main-script-a2.js' id='main-script-a2-js' {$strategy}='{$strategy}' data-wp-strategy='{$strategy}'></script>";
+		$expected .= "<script type='text/javascript' src='/main-script-a2.js' id='main-script-a2-js' {$strategy} data-wp-strategy='{$strategy}'></script>";
 		$this->assertEqualHTML( $expected, $output, '<body>', 'Dependents of a blocking dependency are free to have any strategy.' );
 	}
 

From 7bef55a2ca1ffb538859ee0b427a255ee2c3cd4b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:29:19 +0100
Subject: [PATCH 44/60] fixup! Use script tag comparison in tests

---
 tests/phpunit/tests/dependencies/scripts.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index af9bd294a76ad..9077903412aa3 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -2637,13 +2637,6 @@ public function test_wp_add_inline_script_customize_dependency() {
 		$wp_scripts->base_url  = '';
 		$wp_scripts->do_concat = true;
 
-		$expected_tail  = "<script type='text/javascript' src='/customize-dependency.js' id='customize-dependency-js'></script>\n";
-		$expected_tail .= "<script type='text/javascript' id='customize-dependency-js-after'>\n";
-		$expected_tail .= "/* <![CDATA[ */\n";
-		$expected_tail .= "tryCustomizeDependency()\n";
-		$expected_tail .= "//# sourceURL=customize-dependency-js-after\n";
-		$expected_tail .= "/* ]]> */\n";
-		$expected_tail .= "</script>\n";
 
 		$handle = 'customize-dependency';
 		wp_enqueue_script( $handle, '/customize-dependency.js', array( 'customize-controls' ), null );
@@ -2656,9 +2649,16 @@ public function test_wp_add_inline_script_customize_dependency() {
 		_print_scripts();
 		$print_scripts = $this->getActualOutput();
 
-		$tail = substr( $print_scripts, strrpos( $print_scripts, '<script type="text/javascript" src="/customize-dependency.js" id="customize-dependency-js">' ) );
+		$expected = "<script type='text/javascript' src='/customize-dependency.js' id='customize-dependency-js'></script>\n";
+		$this->assertEqualHTMLScriptTagById( $expected, $print_scripts );
 
-		$this->assertEqualHTML( $expected_tail, $tail );
+		$expected  = "<script type='text/javascript' id='customize-dependency-js-after'>\n";
+		$expected .= "/* <![CDATA[ */\n";
+		$expected .= "tryCustomizeDependency()\n";
+		$expected .= "//# sourceURL=customize-dependency-js-after\n";
+		$expected .= "/* ]]> */\n";
+		$expected .= "</script>\n";
+		$this->assertEqualHTMLScriptTagById( $expected, $print_scripts );
 	}
 
 	/**

From 43333005a4454e1535f5813173cbae55b8d7158e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:29:31 +0100
Subject: [PATCH 45/60] fixup! Add utility for semantically comparing a SCRIPT
 tag within HTML

---
 tests/phpunit/tests/dependencies/scripts.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index 9077903412aa3..be60483681425 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -69,7 +69,7 @@ public function tear_down() {
 		parent::tear_down();
 	}
 
-	private function assertEqualHTMLScriptTagById( string $expected, string $html, ?string $message ) {
+	private function assertEqualHTMLScriptTagById( string $expected, string $html, string $message = 'The SCRIPT tag did not match.' ) {
 		$find_id_tag_processor = new WP_HTML_Tag_Processor( $expected );
 		$find_id_tag_processor->next_token();
 		$id = $find_id_tag_processor->get_attribute( 'id' );

From 504a928bddebc0ab255fc310204d0f99c6080c7d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 19 Dec 2025 22:51:02 +0100
Subject: [PATCH 46/60] fix lint

---
 tests/phpunit/tests/dependencies/scripts.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
index be60483681425..a3599ee48537b 100644
--- a/tests/phpunit/tests/dependencies/scripts.php
+++ b/tests/phpunit/tests/dependencies/scripts.php
@@ -2637,7 +2637,6 @@ public function test_wp_add_inline_script_customize_dependency() {
 		$wp_scripts->base_url  = '';
 		$wp_scripts->do_concat = true;
 
-
 		$handle = 'customize-dependency';
 		wp_enqueue_script( $handle, '/customize-dependency.js', array( 'customize-controls' ), null );
 		wp_add_inline_script( $handle, 'tryCustomizeDependency()' );

From 2ef0bf0a0bea953cecfe1c87e0888abf25b5acfd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 13:35:13 +0100
Subject: [PATCH 47/60] Fix demonstration comment

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 0594c9a94888c..fa5e037cef830 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3821,7 +3821,7 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 *
 				 *     <script>
 				 *       // If "<!--" and "<script>" appear like this,
-				 *       // the following `</script>` close tag will not be recognized.
+				 *       // the following SCRIPT close tag will not be recognized.
 				 *     </script>
 				 *     <h1>This appears _inside_ the preceding SCRIPT element.</h1>
 				 *

From cb6b9900e13736e8ec377ffc29ed040adaf87e95 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 16:49:36 +0100
Subject: [PATCH 48/60] Extract and document escaping functions

---
 .../html-api/class-wp-html-tag-processor.php  | 191 ++++++++----------
 1 file changed, 87 insertions(+), 104 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index fa5e037cef830..cf06d9cf467ea 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3812,116 +3812,22 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
 				/*
-				 * SCRIPT tag contents can be dangerous.
+				 * SCRIPT tag contents can be dangerous:
 				 *
-				 * The text "</script>" could close the SCRIPT element prematurely.
+				 * - "</script>" could close the SCRIPT element prematurely.
+				 * - "<script>" could enter the “script data double escaped state” and preventing the
+				 *   SCRIPT element from closing as expected.
 				 *
-				 * The text "<script>" could enter the “script data double escaped state”, preventing the
-				 * SCRIPT element from closing as expected, for example:
-				 *
-				 *     <script>
-				 *       // If "<!--" and "<script>" appear like this,
-				 *       // the following SCRIPT close tag will not be recognized.
-				 *     </script>
-				 *     <h1>This appears _inside_ the preceding SCRIPT element.</h1>
-				 *
-				 * The relevant state transitions happen on text like:
-				 *     1. <
-				 *     2. / (optional)
-				 *     3. script (case-insensitive)
-				 *     4. One of the following characters:
-				 *        - \t
-				 *        - \n
-				 *        - \r (\r and \r\n newlines are normalized to \n in HTML pre-processing)
-				 *        - \f
-				 *        - " " (U+0020 SPACE)
-				 *        - /
-				 *        - >
-				 *
-				 * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
+				 * Identify risky script contents to escape when possible or reject otherwise.
 				 */
-				if (
+				$needs_escaping =
 					false !== stripos( $plaintext_content, '</script' ) ||
-					false !== stripos( $plaintext_content, '<script' )
-				) {
-					/*
-					 * JavaScript can be safely escaped with a few exceptions. This is achieved by
-					 * replacing dangerous sequences like "<script" and "</script" with a form
-					 * using a Unicode escape sequence "<\u0073cript>" and "</\u0073cript>".
-					 *
-					 * `<script` and `</script` appear in JavaScript source code in limited places,
-					 * all of which support a Unicode escape sequence on the "s" character.
-					 * JavaScript identifiers, string literals, template literals, and RegExp
-					 * literals all support Unicode escape sequences, meaning that the escaped form
-					 * is indistinguishable from the unescaped form when the JavaScript
-					 * is evaluated.
-					 *
-					 * There are a few exceptions where the escaped form can be detected:
-					 *
-					 * - The escaped form would appear in any JavaScript comments.
-					 * - “Raw” strings via `String.raw()` or the `raw` property of the first
-					 *   argument to a tagged template literal exposes the raw form, revealing any
-					 *   escaping that has been applied.
-					 * - The `source` property of a RegExp object reveals an escaped form the of
-					 *   the pattern.
-					 *
-					 * For JavaScript that needs to avoid these issues, workarounds may
-					 * be available. For example:
-					 *
-					 *      // Instead of this:
-					 *      const rawStringWillBeEscaped = String.raw`</script>`;
-					 *
-					 *      // This is a safe alternative:
-					 *      const rawStringWillBePreserved = String.raw`</scr` + String.raw`ipt>`;
-					 *
-					 * After escaping, the JavaScript result looks like this:
-					 *
-					 *      const rawStringWillBeEscaped = String.raw`</\u0073cript>`;
-					 *      // Evaluates to `'</\\u0073cript>'`.
-					 *
-					 *      const rawStringWillBePreserved = String.raw`</scr` + String.raw`ipt>`;
-					 *      // Evaluates to `'</script>'`.
-					 *
-					 * Escaping is applied only where strictly necessary, reducing the likelyhood
-					 * that observable differences manifest in the escaped JavaScript.
-					 *
-					 * This escaping strategy strikes will make ALL JavaScript safe to embed in
-					 * HTML in a way that is completely transparent in most cases.
-					 */
+					false !== stripos( $plaintext_content, '<script' );
+				if ( $needs_escaping ) {
 					if ( $this->is_javascript_script_tag() ) {
-						$plaintext_content = preg_replace_callback(
-							/*
-							 * This case-insensitive pattern consists of three groups (in order):
-							 *
-							 * HEAD:   "<" or "</"
-							 * S_CHAR: "s"
-							 * TAIL:   "cript" + a trailing tag name termination character
-							 */
-							'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[\\t\\r\\n\\f />])~i',
-							static function ( $matches ) {
-								$escaped_s_char = 's' === $matches['S_CHAR']
-									? '\\u0073'
-									: '\\u0053';
-								return "{$matches['HEAD']}{$escaped_s_char}{$matches['TAIL']}";
-							},
-							$plaintext_content
-						);
+						$plaintext_content = $this->escape_javascript_script_contents( $plaintext_content );
 					} elseif ( $this->is_json_script_tag() ) {
-						/**
-						 * JSON can be safely escaped.
-						 *
-						 * The following replacement may appear insufficient, "<" is replaced
-						 * with its JSON escape sequence "\u003C" without considering whether
-						 * the "<" is preceded by an escaping backslash. JSON does not support
-						 * arbitrary character escaping in strings (unlike JavaScript) so "\<"
-						 * is invalid JSON and does not need to be considered.
-						 *
-						 * @see https://www.json.org/json-en.html
-						 */
-						$plaintext_content = strtr(
-							$plaintext_content,
-							array( '<' => '\\u003C' )
-						);
+						$plaintext_content = $this->escape_json_script_contents( $plaintext_content );
 					} else {
 						/*
 						 * Other types of script tags cannot be escaped safely because the type
@@ -4148,6 +4054,83 @@ private function is_json_script_tag(): bool {
 		return false;
 	}
 
+	/**
+	 * Escape JavaScript script tag contents.
+	 *
+	 * Prevent JavaScript text from modifying the HTML structure of a document and
+	 * ensure that it's contained within its enclosing SCRIPT tag as intended.
+	 *
+	 * JavaScript can be safely escaped with a few exceptions. This is achieved by
+	 * replacing dangerous sequences like "<script" and "</script" with a form
+	 * using a Unicode escape sequence "<\u0073cript>" and "</\u0073cript>".
+	 *
+	 * This text may appear in the JavaScript in limited ways, all of which support
+	 * the use of Unicode escape sequences on the "s" character. The escaping is safe
+	 * to perform in all JavaScript and the modified JavaScript maintains identical
+	 * behavior with a few exceptions:
+	 *
+	 * - Comments.
+	 * - Tagged templates like `String.raw()` that access “raw” strings.
+	 * - The `source` property of a RegExp object.
+	 *
+	 * For example, this input JavaScript:
+	 *
+	 *     // A comment: "</script>"
+	 *
+	 *     console.log( String.raw`</script>` );
+	 *
+	 *     const regex = /<script>/;
+	 *     console.log( regex.source );
+	 *
+	 * Is transformed to:
+	 *
+	 *     // A comment: "</\u0073cript>"
+	 *
+	 *     console.log( String.raw`</\u0073cript>` );
+	 *
+	 *     const regex = /<\u0073cript>/;
+	 *     console.log( regex.source );
+	 *
+	 * Note that the RegExp's matching behavior is equivalent, meaning that
+	 * `regex.test( '<script>' ) === true` in both the unescaped and
+	 * escaped versions.
+	 *
+	 * @see https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
+	 */
+	private function escape_javascript_script_contents( string $text ): string {
+		return preg_replace_callback(
+			'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[\\t\\r\\n\\f />])~i',
+			static function ( $matches ) {
+				$escaped_s_char = 's' === $matches['S_CHAR']
+					? '\\u0073'
+					: '\\u0053';
+				return "{$matches['HEAD']}{$escaped_s_char}{$matches['TAIL']}";
+			},
+			$text
+		);
+	}
+
+	/**
+	 * Escape JSON script tag contents.
+	 *
+	 * Prevent JSON text from modifying the HTML structure of a document and
+	 * ensure that it's contained within its enclosing SCRIPT tag as intended.
+	 *
+	 * JSON can be escaped simply by replacing "<" with its Unicode escape
+	 * sequence "\u003C". "<" is not part of the JSON syntax and only appears
+	 * in JSON strings, so it's always safe to escape. Furthermore, JSON only
+	 * does not allow backslash escaping of "<", so there's no need to
+	 * consider whether the "<" is escaped.
+	 *
+	 * @see https://www.json.org/json-en.html
+	 */
+	private function escape_json_script_contents( string $text ): string {
+		return strtr(
+			$text,
+			array( '<' => '\\u003C' )
+		);
+	}
+
 	/**
 	 * Updates or creates a new attribute on the currently matched tag with the passed value.
 	 *

From e399bf6a43966f4ee8a74c9910d4391f69669b67 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 17:26:13 +0100
Subject: [PATCH 49/60] Tweak workaround documentation

---
 .../html-api/class-wp-html-tag-processor.php          | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index cf06d9cf467ea..db0448bbfd2bc 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4095,6 +4095,17 @@ private function is_json_script_tag(): bool {
 	 * `regex.test( '<script>' ) === true` in both the unescaped and
 	 * escaped versions.
 	 *
+	 * JavaScript that is relies on behavior affected by this escaping must provide
+	 * safe script contents in order to avoid this escaping. For example, a raw string
+	 * may be split up to make its contents safe or avoided altogether:
+	 *
+	 *     console.log( String.raw`</script>` );                // !!UNSAFE!! Will be escaped.
+	 *     console.log( String.raw`</\u0073cript>` );           // "</\u0073cript>"
+	 *     console.log( String.raw`</scr` + String.raw`ipt>` ); // "</script>"
+	 *     console.log( String.raw`</${"script"}>` );           // "</script>"
+	 *     console.log( "\x3C/script>" );                       // "</script>"
+	 *     console.log( "<\/script>" );                         // "</script>"
+	 *
 	 * @see https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
 	 */
 	private function escape_javascript_script_contents( string $text ): string {

From 83c1fab476f63e12f5f0594e686a43615fcfb12d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 18:40:30 +0100
Subject: [PATCH 50/60] Add ASCII chart about HTML script tags with original
 source

---
 .../html-api/class-wp-html-tag-processor.php  | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index db0448bbfd2bc..fc1f51360daf4 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4106,6 +4106,38 @@ private function is_json_script_tag(): bool {
 	 *     console.log( "\x3C/script>" );                       // "</script>"
 	 *     console.log( "<\/script>" );                         // "</script>"
 	 *
+	 * The following graph is a simplified interpretation of how HTML interprets the contents
+	 * of a SCRIPT tag and identifies the closing tag. It is useful to understand what text
+	 * is dangerous inside of a SCRIPT tag and why different approaches to escaping work.
+	 *
+	 *                              Open script
+	 *                                  │
+	 *                                  │
+	 *                                  ▼
+	 *               ╔═════════════════════════════════════════╗   <!--(…)>
+	 *               ║                                         ║   (all dashes)
+	 *               ║                 script                  ║ ───────────────┐
+	 *               ║                  data                   ║                │
+	 *   ┌────────── ║                                         ║ ◀──────────────┘
+	 *   │           ╚═════════════════════════════════════════╝
+	 *   │             │               ▲                    ▲
+	 *   │             │ <!--          │ -->                └─────┐
+	 *   │             ▼               │                          │
+	 *   │           ┌─────────────────────────────────────────┐  │
+	 *   │ </script† │                 escaped                 │  │
+	 *   │           └─────────────────────────────────────────┘  │
+	 *   │             │               ▲             │            │ -->
+	 *   │             │ </script†     │ </script†   │ <script†   │
+	 *   │             ▼               │             ▼            │
+	 *   │           ╔══════════════╗  │           ┌───────────┐  │
+	 *   │           ║ Close script ║  │           │  double   │  │
+	 *   └─────────▶ ║              ║  └────────── │  escaped  │ ─┘
+	 *               ╚══════════════╝              └───────────┘
+	 *
+	 *        † = Case insensitive 'script' followed by one of ' \t\f\c\n/>'
+	 *
+	 * The original source of this graph is included at the bottom of this file.
+	 *
 	 * @see https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
 	 */
 	private function escape_javascript_script_contents( string $text ): string {
@@ -4133,6 +4165,7 @@ static function ( $matches ) {
 	 * does not allow backslash escaping of "<", so there's no need to
 	 * consider whether the "<" is escaped.
 	 *
+	 * @see WP_HTML_Tag_Processor::escape_javascript_script_contents()
 	 * @see https://www.json.org/json-en.html
 	 */
 	private function escape_json_script_contents( string $text ): string {
@@ -4932,3 +4965,40 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 	 */
 	const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE';
 }
+
+/*
+# This is the original Graphviz source for the SCRIPT content
+# parsinge behavior. It's used in the documention of
+# `WP_HTML_Tag_Processor::escape_javascript_script_contents()`.
+# ====
+digraph {
+	rankdir=TB;
+
+    // Entry point
+    entry [shape=plaintext label="Open script"];
+    entry -> script_data;
+
+	// Double-circle states arranged more compactly
+	data [shape=doublecircle label="Close script"];
+	script_data [shape=doublecircle color=blue label="script\ndata"];
+	script_data_escaped [shape=circle color=orange label="escaped"];
+	script_data_double_escaped [shape=circle color=red label="double\nescaped"];
+
+	// Group related nodes on same ranks where possible
+	{rank=same; script_data script_data_escaped script_data_double_escaped}
+
+	script_data -> script_data [label="<!--(…)>\n(all dashes)"];
+	script_data -> script_data_escaped [label="<!--"];
+	script_data -> data [label="</script†"];
+
+	script_data_escaped -> script_data [label="-->"];
+	script_data_escaped -> script_data_double_escaped [label="<script†"];
+	script_data_escaped -> data [label="</script†"];
+
+	script_data_double_escaped -> script_data [label="-->"];
+	script_data_double_escaped -> script_data_escaped [label="</script†"];
+
+	label="† = Case insensitive 'script' followed by one of ' \\t\\f\\c\\n/>'";
+    labelloc=b;
+}
+*/

From 18726817730f7807a70e3e1de618b42197b1d117 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 18:44:01 +0100
Subject: [PATCH 51/60] Improve linking between escapes

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index fc1f51360daf4..92462873f7dd7 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4165,7 +4165,7 @@ static function ( $matches ) {
 	 * does not allow backslash escaping of "<", so there's no need to
 	 * consider whether the "<" is escaped.
 	 *
-	 * @see WP_HTML_Tag_Processor::escape_javascript_script_contents()
+	 * For more details, see {@see WP_HTML_Tag_Processor::escape_javascript_script_contents()}.
 	 * @see https://www.json.org/json-en.html
 	 */
 	private function escape_json_script_contents( string $text ): string {

From 83ff62fab13559e0359a84d3d75e158806dfab62 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 18:51:16 +0100
Subject: [PATCH 52/60] Fix comments, typos, lints

---
 .../html-api/class-wp-html-tag-processor.php  | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 92462873f7dd7..05df59d40671b 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3811,14 +3811,14 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
-				/*
-				 * SCRIPT tag contents can be dangerous:
+				/**
+				 * Identify risky script contents to escape when possible or reject otherwise:
 				 *
 				 * - "</script>" could close the SCRIPT element prematurely.
-				 * - "<script>" could enter the “script data double escaped state” and preventing the
+				 * - "<script>" could enter the “script data double escaped state” and prevent the
 				 *   SCRIPT element from closing as expected.
 				 *
-				 * Identify risky script contents to escape when possible or reject otherwise.
+				 * @see WP_HTML_Tag_Processor::escape_javascript_script_contents()
 				 */
 				$needs_escaping =
 					false !== stripos( $plaintext_content, '</script' ) ||
@@ -3830,8 +3830,8 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 						$plaintext_content = $this->escape_json_script_contents( $plaintext_content );
 					} else {
 						/*
-						 * Other types of script tags cannot be escaped safely because the type
-						 * of comment and escaping strategy are unknown.
+						 * Other types of script tags cannot be escaped safely because there is
+						 * no general escaping mechanism for arbitrary types of content.
 						 */
 						return false;
 					}
@@ -4095,7 +4095,7 @@ private function is_json_script_tag(): bool {
 	 * `regex.test( '<script>' ) === true` in both the unescaped and
 	 * escaped versions.
 	 *
-	 * JavaScript that is relies on behavior affected by this escaping must provide
+	 * JavaScript that relies on behavior affected by this escaping must provide
 	 * safe script contents in order to avoid this escaping. For example, a raw string
 	 * may be split up to make its contents safe or avoided altogether:
 	 *
@@ -4161,9 +4161,9 @@ static function ( $matches ) {
 	 *
 	 * JSON can be escaped simply by replacing "<" with its Unicode escape
 	 * sequence "\u003C". "<" is not part of the JSON syntax and only appears
-	 * in JSON strings, so it's always safe to escape. Furthermore, JSON only
-	 * does not allow backslash escaping of "<", so there's no need to
-	 * consider whether the "<" is escaped.
+	 * in JSON strings, so it's always safe to escape. Furthermore, JSON does
+	 * not allow backslash escaping of "<", so there's no need to consider
+	 * whether the "<" is preceded by an escaping backslash.
 	 *
 	 * For more details, see {@see WP_HTML_Tag_Processor::escape_javascript_script_contents()}.
 	 * @see https://www.json.org/json-en.html
@@ -4967,16 +4967,16 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 }
 
 /*
-# This is the original Graphviz source for the SCRIPT content
-# parsinge behavior. It's used in the documention of
+# This is the original Graphviz source for the SCRIPT tag
+# parsing behavior. It's used in the documentation for
 # `WP_HTML_Tag_Processor::escape_javascript_script_contents()`.
 # ====
 digraph {
 	rankdir=TB;
 
-    // Entry point
-    entry [shape=plaintext label="Open script"];
-    entry -> script_data;
+	// Entry point
+	entry [shape=plaintext label="Open script"];
+	entry -> script_data;
 
 	// Double-circle states arranged more compactly
 	data [shape=doublecircle label="Close script"];
@@ -4999,6 +4999,6 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 	script_data_double_escaped -> script_data_escaped [label="</script†"];
 
 	label="† = Case insensitive 'script' followed by one of ' \\t\\f\\c\\n/>'";
-    labelloc=b;
+	labelloc=b;
 }
 */

From 5979782965770b8a333b649d94564eb32b9dd5e3 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 18:56:42 +0100
Subject: [PATCH 53/60] fixup! Fix comments, typos, lints

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 132bb6bbad495..f1598532d1fa1 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -444,8 +444,9 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
 	/**
 	 * Ensures that updates with potentially-compromising values aren't accepted.
 	 *
-	 * For example, a modifiable text update should be allowed which would break
-	 * the structure of the containing element, such as in a script or comment.
+	 * For example, a modifiable text update that would change the structure of the HTML
+	 * document is not allowed, like attempting to set `-->` within a comment or `</script>`
+	 * within a a text/plain SCRIPT tag.
 	 *
 	 * @ticket 61617
 	 * @ticket 62797
@@ -467,7 +468,7 @@ public function test_rejects_dangerous_updates( string $html_with_nonempty_modif
 
 		$this->assertFalse(
 			$processor->set_modifiable_text( $invalid_update ),
-			'Should have reject possibly-compromising modifiable text update.'
+			'Should have rejected possibly-compromising modifiable text update.'
 		);
 
 		// Flush updates.
@@ -490,7 +491,7 @@ public static function data_unallowed_modifiable_text_updates() {
 			'Comment with -->'                        => array( '<!-- this is a comment -->', 'Comments end in -->' ),
 			'Comment with --!>'                       => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
 			'Non-JS SCRIPT with <script>'             => array( '<script type="text/html">Replace me</script>', '<!-- Just a <script>' ),
-			'Non-JS SCRIPT with </script>'            => array( '<script type="text/html">Replace me</script>', 'Just a </script>' ),
+			'Non-JS SCRIPT with </script>'            => array( '<script type="text/plain">Replace me</script>', 'Just a </script>' ),
 			'Non-JS SCRIPT with <script attributes>'  => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
 			'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
 		);

From d469ae4be14fa5a484544e16c56750cbe1f8b377 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 19:02:50 +0100
Subject: [PATCH 54/60] fixup! fixup! Fix comments, typos, lints

---
 .../phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index f1598532d1fa1..a0808d8c1de57 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -446,7 +446,7 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
 	 *
 	 * For example, a modifiable text update that would change the structure of the HTML
 	 * document is not allowed, like attempting to set `-->` within a comment or `</script>`
-	 * within a a text/plain SCRIPT tag.
+	 * within a text/plain SCRIPT tag.
 	 *
 	 * @ticket 61617
 	 * @ticket 62797

From 402ae9f9feb0fb1ff21ffbe44e930d23c5b1ecc2 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 19:08:04 +0100
Subject: [PATCH 55/60] Fix \c -> \r (carriage return) typo

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 05df59d40671b..a5f46af35077b 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4134,7 +4134,7 @@ private function is_json_script_tag(): bool {
 	 *   └─────────▶ ║              ║  └────────── │  escaped  │ ─┘
 	 *               ╚══════════════╝              └───────────┘
 	 *
-	 *        † = Case insensitive 'script' followed by one of ' \t\f\c\n/>'
+	 *        † = Case insensitive 'script' followed by one of ' \t\f\r\n/>'
 	 *
 	 * The original source of this graph is included at the bottom of this file.
 	 *
@@ -4998,7 +4998,7 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 	script_data_double_escaped -> script_data [label="-->"];
 	script_data_double_escaped -> script_data_escaped [label="</script†"];
 
-	label="† = Case insensitive 'script' followed by one of ' \\t\\f\\c\\n/>'";
+	label="† = Case insensitive 'script' followed by one of ' \\t\\f\\r\\n/>'";
 	labelloc=b;
 }
 */

From 6b2c9ba997c35199306d86e126111165f81cd911 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 19:11:16 +0100
Subject: [PATCH 56/60] Add note about not parsing MIME types for JS script
 tags

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index a5f46af35077b..a0dfcb7e2ff2a 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3895,6 +3895,9 @@ static function ( $tag_match ) {
 	/**
 	 * Indicates if the currently matched tag is a JavaScript script tag.
 	 *
+	 * Note that this does not parse a MIME type. This behavior is well-documented in
+	 * in the HTML standard and uses string comparisons, *not* actual MIME Types.
+	 *
 	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
 	 *
 	 * @ignore

From eef0ccbd89e00afffc6554a050801ee4cc056718 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 19:12:13 +0100
Subject: [PATCH 57/60] Add todo comment to is_json_script_tag

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index a0dfcb7e2ff2a..6b87d250288b3 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4016,6 +4016,7 @@ private function is_javascript_script_tag(): bool {
 	 *
 	 * @ignore
 	 * @todo Consider a public API that is clear and general.
+	 * @todo Use a MIME type parser when available.
 	 *
 	 * @since 7.0.0
 	 *

From 71d268670ba337f763c04baf9830bed074d03546 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 19:15:04 +0100
Subject: [PATCH 58/60] Re-order tag name termination chars to match elsewhere

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 6b87d250288b3..0ccf83828f15d 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4146,7 +4146,7 @@ private function is_json_script_tag(): bool {
 	 */
 	private function escape_javascript_script_contents( string $text ): string {
 		return preg_replace_callback(
-			'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[\\t\\r\\n\\f />])~i',
+			'~(?P<HEAD></?)(?P<S_CHAR>s)(?P<TAIL>cript[ \\t\\f\\r\\n/>])~i',
 			static function ( $matches ) {
 				$escaped_s_char = 's' === $matches['S_CHAR']
 					? '\\u0073'

From d4693a27ffaf7950b7e5aaef4c4d47268c07607d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 22 Dec 2025 19:15:37 +0100
Subject: [PATCH 59/60] Fix typo

---
 tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
index 9f89f78a2fcd4..f7da39a887d71 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorScriptTag.php
@@ -102,7 +102,7 @@ public static function data_is_javascript_script_tag(): array {
 			'Script tag with language="jscript"'         => array( '<script language="jscript"></script>', true ),
 			'Script tag with language="livescript"'      => array( '<script language="livescript"></script>', true ),
 
-			// Whitespace is not trimmed in the langauge attribute.
+			// Whitespace is not trimmed in the language attribute.
 			'Script tag with language=" javascript"'     => array( '<script language=" javascript"></script>', false ),
 
 			// Non-JavaScript script tags - should NOT be JavaScript.

From 4c3b0b21a4d6f795984733d21ceb384a86920cba Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 29 Dec 2025 17:50:00 +0100
Subject: [PATCH 60/60] Update comments on tag prefixes matching search pattern

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 0ccf83828f15d..d53709051062d 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3814,8 +3814,8 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				/**
 				 * Identify risky script contents to escape when possible or reject otherwise:
 				 *
-				 * - "</script>" could close the SCRIPT element prematurely.
-				 * - "<script>" could enter the “script data double escaped state” and prevent the
+				 * - "</script" could close the SCRIPT element prematurely.
+				 * - "<script" could enter the “script data double escaped state” and prevent the
 				 *   SCRIPT element from closing as expected.
 				 *
 				 * @see WP_HTML_Tag_Processor::escape_javascript_script_contents()