From 353fa40c01eead7df3f4ed20cc9e073f4027d7ff Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:30:56 +0200
Subject: [PATCH 01/18] Add test for unclosed script tag

---
 tests/phpunit/tests/blocks/editor.php | 62 +++++++++++++++++++++++----
 1 file changed, 54 insertions(+), 8 deletions(-)

diff --git a/tests/phpunit/tests/blocks/editor.php b/tests/phpunit/tests/blocks/editor.php
index 838137fa76f0d..7952fefb7ca32 100644
--- a/tests/phpunit/tests/blocks/editor.php
+++ b/tests/phpunit/tests/blocks/editor.php
@@ -9,7 +9,6 @@
  * @group blocks
  */
 class Tests_Blocks_Editor extends WP_UnitTestCase {
-
 	/**
 	 * Sets up each test method.
 	 */
@@ -631,8 +630,8 @@ function filter_add_preload_paths( $preload_paths, WP_Block_Editor_Context $cont
 
 		$after = implode( '', wp_scripts()->registered['wp-api-fetch']->extra['after'] );
 		$this->assertStringContainsString( 'wp.apiFetch.createPreloadingMiddleware', $after );
-		$this->assertStringContainsString( '"\/wp\/v2\/blocks"', $after );
-		$this->assertStringContainsString( '"\/wp\/v2\/types"', $after );
+		$this->assertStringContainsString( '"/wp/v2/blocks"', $after );
+		$this->assertStringContainsString( '"/wp/v2/types"', $after );
 	}
 
 	/**
@@ -697,11 +696,11 @@ public function data_block_editor_rest_api_preload_adds_missing_leading_slash()
 		return array(
 			'a string without a slash'               => array(
 				'preload_paths' => array( 'wp/v2/blocks' ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'a string with a slash'                  => array(
 				'preload_paths' => array( '/wp/v2/blocks' ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'a string starting with a question mark' => array(
 				'preload_paths' => array( '?context=edit' ),
@@ -709,16 +708,63 @@ public function data_block_editor_rest_api_preload_adds_missing_leading_slash()
 			),
 			'an array with a string without a slash' => array(
 				'preload_paths' => array( array( 'wp/v2/blocks', 'OPTIONS' ) ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'an array with a string with a slash'    => array(
 				'preload_paths' => array( array( '/wp/v2/blocks', 'OPTIONS' ) ),
-				'expected'      => '\/wp\/v2\/blocks',
+				'expected'      => '/wp/v2/blocks',
 			),
 			'an array with a string starting with a question mark' => array(
 				'preload_paths' => array( array( '?context=edit', 'OPTIONS' ) ),
-				'expected'      => '\/?context=edit',
+				'expected'      => '/?context=edit',
 			),
 		);
 	}
+
+	/**
+	 * @ticket 62797
+	 *
+	 * @covers ::block_editor_rest_api_preload
+	 *
+	 * Some valid JSON-encoded data is dangerous to embed in HTML without appropriate
+	 * escaping. This test includes prints an example of such data that would prevent
+	 * the enclosing `<script>` from closing on its apparent closer and remain open.
+	 */
+	public function test_ensure_preload_data_script_tag_closes() {
+		add_theme_support( 'html5', array( 'script' ) );
+		register_rest_route(
+			'test/v0',
+			'test-62797',
+			array(
+				'methods'             => 'GET',
+				'callback'            => function () {
+					return '<!-- unclosed comment and a script tag <script></script>';
+				},
+				'permission_callback' => '__return_true',
+			)
+		);
+
+		// Prevent a bunch of noisy or unstable data from being included in the test output.
+		wp_scripts()->registered['wp-api-fetch']->ver            = 'test';
+		wp_scripts()->registered['wp-api-fetch']->extra['after'] = array();
+
+		block_editor_rest_api_preload(
+			array( '/test/v0/test-62797' ),
+			new WP_Block_Editor_Context()
+		);
+
+		ob_start();
+		wp_scripts()->do_item( 'wp-api-fetch' );
+		$output = ob_get_clean();
+
+		$baseurl  = site_url();
+		$expected = <<<HTML
+<script src="{$baseurl}/wp-includes/js/dist/api-fetch.min.js?ver=test" id="wp-api-fetch-js"></script>
+<script id="wp-api-fetch-js-after">
+wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( {"/test/v0/test-62797":{"body":["\\u003C!-- unclosed comment and a script tag \\u003Cscript\\u003E\\u003C/script\\u003E"],"headers":{"Allow":"GET"}}} ) );
+</script>
+
+HTML;
+		$this->assertEqualHTML( $expected, $output );
+	}
 }

From adc0ab3354dbbbc0100070c499fb337f3d226877 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:31:28 +0200
Subject: [PATCH 02/18] Escape script modifiable text

---
 .../html-api/class-wp-html-tag-processor.php  | 138 +++++++++++++++++-
 1 file changed, 137 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 032ca2af32e57..46d1dd3d8e4fd 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3736,7 +3736,26 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 * that previously worked. Resolve this by not sending `</script`
 				 */
 				if ( false !== stripos( $plaintext_content, '</script' ) ) {
-					return false;
+					/*
+					 * JavaScript can be safely escaped.
+					 * Non-JavaScript script tags have unknown semantics.
+					 *
+					 * @todo consider applying to JSON and importmap script tags as well.
+					 */
+					if ( $this->is_javascript_script_tag() ) {
+						$plaintext_content = preg_replace_callback(
+							'~<(/?)(s)(cript)~i',
+							static function ( $matches ) {
+								$escaped_s_char = 's' === $matches[2]
+									? '\u0073'
+									: '\u0053';
+								return "<{$matches[1]}{$escaped_s_char}{$matches[3]}";
+							},
+							$plaintext_content
+						);
+					} else {
+						return false;
+					}
 				}
 
 				$this->lexical_updates['modifiable text'] = new WP_HTML_Text_Replacement(
@@ -3794,6 +3813,123 @@ static function ( $tag_match ) {
 		return false;
 	}
 
+	/**
+	 * Indicates if the currently matched tag is a JavaScript script tag.
+	 *
+	 * @see https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
+	 *
+	 * @since {WP_VERSION}
+	 *
+	 * @return boolean True if the script tag will be evaluated as JavaScript.
+	 */
+	public function is_javascript_script_tag(): bool {
+		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {
+			return false;
+		}
+
+		/*
+		 * > If any of the following are true:
+		 * >   - el has a type attribute whose value is the empty string;
+		 * >   - el has no type attribute but it has a language attribute and that attribute's
+		 * >     value is the empty string; or
+		 * >   - el has neither a type attribute nor a language attribute,
+		 * > then let the script block's type string for this script element be "text/javascript".
+		 */
+		$type_attr     = $this->get_attribute( 'type' );
+		$language_attr = $this->get_attribute( 'language' );
+
+		if ( true === $type_attr || '' === $type_attr ) {
+			return true;
+		}
+		if (
+			null === $type_attr && (
+				true === $language_attr ||
+				'' === $language_attr ||
+				null === $language_attr
+			)
+		) {
+			return true;
+		}
+
+		/*
+		 * > Otherwise, if el has a type attribute, then let the script block's type string be
+		 * > the value of that attribute with leading and trailing ASCII whitespace stripped.
+		 * > Otherwise, el has a non-empty language attribute; let the script block's type string
+		 * > be the concatenation of "text/" and the value of el's language attribute.
+		 */
+		$type_string = $type_attr ? trim( $type_attr, " \t\f\r\n" ) : "text/{$language_attr}";
+
+		/*
+		 * > If the script block's type string is a JavaScript MIME type essence match, then
+		 * > set el's type to "classic".
+		 *
+		 * > A string is a JavaScript MIME type essence match if it is an ASCII case-insensitive
+		 * > match for one of the JavaScript MIME type essence strings.
+
+		 * > A JavaScript MIME type is any MIME type whose essence is one of the following:
+		 * >
+		 * > - application/ecmascript
+		 * > - application/javascript
+		 * > - application/x-ecmascript
+		 * > - application/x-javascript
+		 * > - text/ecmascript
+		 * > - text/javascript
+		 * > - text/javascript1.0
+		 * > - text/javascript1.1
+		 * > - text/javascript1.2
+		 * > - text/javascript1.3
+		 * > - text/javascript1.4
+		 * > - text/javascript1.5
+		 * > - text/jscript
+		 * > - text/livescript
+		 * > - text/x-ecmascript
+		 * > - text/x-javascript
+		 *
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type-essence-match
+		 */
+		switch ( strtolower( $type_string ) ) {
+			case 'application/ecmascript':
+			case 'application/javascript':
+			case 'application/x-ecmascript':
+			case 'application/x-javascript':
+			case 'text/ecmascript':
+			case 'text/javascript':
+			case 'text/javascript1.0':
+			case 'text/javascript1.1':
+			case 'text/javascript1.2':
+			case 'text/javascript1.3':
+			case 'text/javascript1.4':
+			case 'text/javascript1.5':
+			case 'text/jscript':
+			case 'text/livescript':
+			case 'text/x-ecmascript':
+			case 'text/x-javascript':
+				return true;
+
+			/*
+			* > Otherwise, if the script block's type string is an ASCII case-insensitive match for
+			* > the string "module", then set el's type to "module".
+			*
+			* A module is evaluated as JavaScript
+			*/
+			case 'module':
+				return true;
+		}
+
+		/*
+		 * > - Otherwise, if the script block's type string is an ASCII case-insensitive match for
+		 * >   the string "importmap", then set el's type to "importmap".
+		 *
+		 * An importmap is JSON and not evaluated as JavaScript. This case is not handled here.
+		 */
+
+		/*
+		 * > Otherwise, return. (No script is executed, and el's type is left as null.)
+		 */
+		return false;
+	}
+
 	/**
 	 * Updates or creates a new attribute on the currently matched tag with the passed value.
 	 *

From 1639b2b422785db613f2c0c735b2d3de76027101 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:53:44 +0200
Subject: [PATCH 03/18] Stop escaping slashes, json_encode dangerously

This helps demonstrate the effectiveness.
---
 src/wp-includes/block-editor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/block-editor.php b/src/wp-includes/block-editor.php
index 2bd9f2dfbf050..96fc9c4eb6149 100644
--- a/src/wp-includes/block-editor.php
+++ b/src/wp-includes/block-editor.php
@@ -766,7 +766,7 @@ function block_editor_rest_api_preload( array $preload_paths, $block_editor_cont
 		'wp-api-fetch',
 		sprintf(
 			'wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( %s ) );',
-			wp_json_encode( $preload_data )
+			wp_json_encode( $preload_data, JSON_UNESCAPED_SLASHES )
 		),
 		'after'
 	);

From fe6434dbec9bffb03555d3392c065cdd0da8dbcd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:55:07 +0200
Subject: [PATCH 04/18] Use the tag processor to correctly extract script tag
 contents

---
 src/wp-includes/functions.wp-scripts.php | 30 ++++++++++++++----------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/src/wp-includes/functions.wp-scripts.php b/src/wp-includes/functions.wp-scripts.php
index 1be1822aa7c3d..68e294f5be7c5 100644
--- a/src/wp-includes/functions.wp-scripts.php
+++ b/src/wp-includes/functions.wp-scripts.php
@@ -130,18 +130,24 @@ function wp_print_scripts( $handles = false ) {
 function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 	_wp_scripts_maybe_doing_it_wrong( __FUNCTION__, $handle );
 
-	if ( false !== stripos( $data, '</script>' ) ) {
-		_doing_it_wrong(
-			__FUNCTION__,
-			sprintf(
-				/* translators: 1: <script>, 2: wp_add_inline_script() */
-				__( 'Do not pass %1$s tags to %2$s.' ),
-				'<code>&lt;script&gt;</code>',
-				'<code>wp_add_inline_script()</code>'
-			),
-			'4.5.0'
-		);
-		$data = trim( preg_replace( '#<script[^>]*>(.*)</script>#is', '$1', $data ) );
+	if ( false !== stripos( $data, '<script>' ) ) {
+
+		// The script tag should be the only token, otherwise it's not a <script> tag.
+		$processor = new WP_HTML_Tag_Processor( $data );
+		$processor->next_token();
+		if ( $processor->get_tag() === 'SCRIPT' ) {
+			_doing_it_wrong(
+				__FUNCTION__,
+				sprintf(
+					/* translators: 1: <script>, 2: wp_add_inline_script() */
+					__( 'Do not pass %1$s tags to %2$s.' ),
+					'<code>&lt;script&gt;</code>',
+					'<code>wp_add_inline_script()</code>'
+				),
+				'4.5.0'
+			);
+			$data = $processor->get_modifiable_text();
+		}
 	}
 
 	return wp_scripts()->add_inline_script( $handle, $data, $position );

From ced9c0f1870b09483f96764578f177ad787d62ba Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:55:23 +0200
Subject: [PATCH 05/18] Use the tag processor to correctly set script tag
 contents

---
 src/wp-includes/script-loader.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 54193c841c7c3..52578b880062d 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -3006,6 +3006,12 @@ function wp_get_inline_script_tag( $data, $attributes = array() ) {
 	 */
 	$attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $data );
 
+	$script_tag = sprintf( '<script%s></script>', wp_sanitize_script_attributes( $attributes ) );
+	$processor  = new WP_HTML_Tag_Processor( $script_tag );
+	if ( $processor->next_tag( 'SCRIPT' ) && $processor->set_modifiable_text( $data ) ) {
+		return $processor->get_updated_html() . "\n";
+	}
+
 	return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $data );
 }
 

From 4b194ef24e93c14d949b2654c4230fccc00096a2 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:56:39 +0200
Subject: [PATCH 06/18] Improve closing script tag test

---
 tests/phpunit/tests/blocks/editor.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/blocks/editor.php b/tests/phpunit/tests/blocks/editor.php
index 7952fefb7ca32..71d28e62a4e6f 100644
--- a/tests/phpunit/tests/blocks/editor.php
+++ b/tests/phpunit/tests/blocks/editor.php
@@ -738,7 +738,7 @@ public function test_ensure_preload_data_script_tag_closes() {
 			array(
 				'methods'             => 'GET',
 				'callback'            => function () {
-					return '<!-- unclosed comment and a script tag <script></script>';
+					return '<!-- unclosed comment and a script tag <SCRIPT></SCRIPT><script></script>';
 				},
 				'permission_callback' => '__return_true',
 			)
@@ -761,7 +761,7 @@ public function test_ensure_preload_data_script_tag_closes() {
 		$expected = <<<HTML
 <script src="{$baseurl}/wp-includes/js/dist/api-fetch.min.js?ver=test" id="wp-api-fetch-js"></script>
 <script id="wp-api-fetch-js-after">
-wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( {"/test/v0/test-62797":{"body":["\\u003C!-- unclosed comment and a script tag \\u003Cscript\\u003E\\u003C/script\\u003E"],"headers":{"Allow":"GET"}}} ) );
+wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( {"/test/v0/test-62797":{"body":["<!-- unclosed comment and a script tag <\u0053CRIPT></\u0053CRIPT><\u0073cript></\u0073cript>"],"headers":{"Allow":"GET"}}} ) );
 </script>
 
 HTML;

From f8df461594f234923d968947e4990c0d397879a6 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 22:06:00 +0200
Subject: [PATCH 07/18] Fix failing tests

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 5be6bb8f73083..75cd9c1bf84af 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -488,8 +488,8 @@ public static function data_unallowed_modifiable_text_updates() {
 		return array(
 			'Comment with -->'                 => array( '<!-- this is a comment -->', 'Comments end in -->' ),
 			'Comment with --!>'                => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
-			'SCRIPT with </script>'            => array( '<script>Replace me</script>', 'Just a </script>' ),
-			'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),
+			'SCRIPT with </script>'            => array( '<script type="text/xml">Replace me</script>', 'Just a </script>' ),
+			'SCRIPT with </script attributes>' => array( '<script language="plaintext">Replace me</script>', 'before</script id=sneak>after' ),
 		);
 	}
 }

From b26f45d7bc0ae0454dfa2c8864ae86ba81966253 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 22:35:46 +0200
Subject: [PATCH 08/18] Add dangerous script escaping tests

---
 .../wpHtmlTagProcessorModifiableText.php      | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 75cd9c1bf84af..7ab76ad110f8c 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -492,4 +492,39 @@ public static function data_unallowed_modifiable_text_updates() {
 			'SCRIPT with </script attributes>' => array( '<script language="plaintext">Replace me</script>', 'before</script id=sneak>after' ),
 		);
 	}
+
+	/**
+	 * Ensures that script tag contents are safely updated.
+	 *
+	 * @ticket 62797
+	 *
+	 * @dataProvider data_script_tag_text_updates
+	 *
+	 * @param string $html     HTML containing a SCRIPT tag to be modified.
+	 * @param string $update   Update containing possibly-compromising text.
+	 * @param string $expected Expected result.
+	 */
+	public function test_safely_updates_dangerous_javascript_script_tag_contents( string $html, string $update, string $expected ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
+		$this->assertTrue( $processor->set_modifiable_text( $update ) );
+		$this->assertSame( $expected, $processor->get_updated_html() );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public static function data_script_tag_text_updates(): array {
+		return array(
+			'Simple update'         => array( '<script></script>', '{}', '<script>{}</script>' ),
+			'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
+			'1</script>/'           => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
+			'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
+			'1</SCRIPT>/'           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
+			'"</script>"'           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
+			'"</ScRiPt>"'           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
+		);
+	}
 }

From 4b9aa42a1681c1518b6a526246b8071016db04dd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 23 Jul 2025 22:36:37 +0200
Subject: [PATCH 09/18] Apply script tag escaping in case of <script

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 46d1dd3d8e4fd..aca907cb50272 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3735,7 +3735,10 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 * properly escape these things, but this could mask regex patterns
 				 * that previously worked. Resolve this by not sending `</script`
 				 */
-				if ( false !== stripos( $plaintext_content, '</script' ) ) {
+				if (
+					false !== stripos( $plaintext_content, '</script' ) ||
+					false !== stripos( $plaintext_content, '<script' )
+				) {
 					/*
 					 * JavaScript can be safely escaped.
 					 * Non-JavaScript script tags have unknown semantics.

From 4f6d9d3df2f685e6fb0325cf5c8f35f1d1895f79 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 17:27:29 +0200
Subject: [PATCH 10/18] Improve script tag check

---
 src/wp-includes/functions.wp-scripts.php | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/functions.wp-scripts.php b/src/wp-includes/functions.wp-scripts.php
index 68e294f5be7c5..49971b5bafe22 100644
--- a/src/wp-includes/functions.wp-scripts.php
+++ b/src/wp-includes/functions.wp-scripts.php
@@ -130,9 +130,22 @@ function wp_print_scripts( $handles = false ) {
 function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 	_wp_scripts_maybe_doing_it_wrong( __FUNCTION__, $handle );
 
-	if ( false !== stripos( $data, '<script>' ) ) {
-
-		// The script tag should be the only token, otherwise it's not a <script> tag.
+	/*
+	 * Check whether the script data appears to be enclosed in an HTML <script> tag.
+	 */
+	if (
+		strlen( $data ) >= 17 &&
+		0 === substr_compare( $data, '<script', 0, 7, true ) &&
+		(
+			"\t" === $data[7] ||
+			"\n" === $data[7] ||
+			"\f" === $data[7] ||
+			' ' === $data[7] ||
+			'/' === $data[7] ||
+			'>' === $data[7]
+		)
+	) {
+		// Try to parse and extract the script contents.
 		$processor = new WP_HTML_Tag_Processor( $data );
 		$processor->next_token();
 		if ( $processor->get_tag() === 'SCRIPT' ) {

From 73720211a1271056b811ed9cb1449fae4cb7aa6c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 18:42:26 +0200
Subject: [PATCH 11/18] Improve comment about script tag contents

---
 .../html-api/class-wp-html-tag-processor.php  | 31 ++++++++++++++-----
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index aca907cb50272..ca0ce761f10c5 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3726,14 +3726,31 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 		switch ( $this->get_tag() ) {
 			case 'SCRIPT':
 				/*
-				 * This is over-protective, but ensures the update doesn't break
-				 * out of the SCRIPT element. A more thorough check would need to
-				 * ensure that the script closing tag doesn't exist, and isn't
-				 * also "hidden" inside the script double-escaped state.
+				 * SCRIPT tag contents can be dangerous.
 				 *
-				 * It may seem like replacing `</script` with `<\/script` would
-				 * properly escape these things, but this could mask regex patterns
-				 * that previously worked. Resolve this by not sending `</script`
+				 * The text `</script>` could close the SCRIPT element prematurely.
+				 *
+				 * The text `<script>` could enter the "script data double escaped state", preventing the
+				 * SCRIPT element from closing as expected, for example:
+				 *
+				 *     <script>
+				 *     // If this "<!--" then "<script>" the closing tag will not be recognized.
+				 *     </script>
+				 *     <h1>This appears inside the preceding SCRIPT element.</h1>
+				 *
+				 * The relevant state transitions happen on text like:
+				 *     1. <
+				 *     2. / (optional)
+				 *     3. script (case-insensitive)
+				 *     4. One of the following characters:
+				 *        - \t
+				 *        - \n
+				 *        - \f
+				 *        - " " (U+0020 SPACE)
+				 *        - /
+				 *        - >
+				 *
+				 * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
 				 */
 				if (
 					false !== stripos( $plaintext_content, '</script' ) ||

From bafb5feade91d5920278cbc75670fb9331b2db0d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 18:44:08 +0200
Subject: [PATCH 12/18] Improve script tag test and sanitization

---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index ca0ce761f10c5..8a84ab92c9f0b 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3752,10 +3752,7 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 *
 				 * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
 				 */
-				if (
-					false !== stripos( $plaintext_content, '</script' ) ||
-					false !== stripos( $plaintext_content, '<script' )
-				) {
+				if ( preg_match( '~</?script[\t\n\f />]~i', $plaintext_content ) ) {
 					/*
 					 * JavaScript can be safely escaped.
 					 * Non-JavaScript script tags have unknown semantics.
@@ -3764,12 +3761,12 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					 */
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(
-							'~<(/?)(s)(cript)~i',
+							'~<(/?)(s)(cript)([\t\n\f />])~i',
 							static function ( $matches ) {
 								$escaped_s_char = 's' === $matches[2]
 									? '\u0073'
 									: '\u0053';
-								return "<{$matches[1]}{$escaped_s_char}{$matches[3]}";
+								return "<{$matches[1]}{$escaped_s_char}{$matches[3]}{$matches[4]}";
 							},
 							$plaintext_content
 						);

From e60d59220ffc19c328afa3838ccb00517b997e1b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 18:54:09 +0200
Subject: [PATCH 13/18] Add and improve tests

---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php     | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 7ab76ad110f8c..854fbeff1cbd2 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -504,7 +504,7 @@ public static function data_unallowed_modifiable_text_updates() {
 	 * @param string $update   Update containing possibly-compromising text.
 	 * @param string $expected Expected result.
 	 */
-	public function test_safely_updates_dangerous_javascript_script_tag_contents( string $html, string $update, string $expected ) {
+	public function test_safely_updates_dangerous_JavaScript_script_tag_contents( string $html, string $update, string $expected ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
 		$this->assertTrue( $processor->set_modifiable_text( $update ) );
@@ -519,12 +519,16 @@ public function test_safely_updates_dangerous_javascript_script_tag_contents( st
 	public static function data_script_tag_text_updates(): array {
 		return array(
 			'Simple update'         => array( '<script></script>', '{}', '<script>{}</script>' ),
+			'Needs no replacement'  => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
 			'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
 			'1</script>/'           => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
 			'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
 			'1</SCRIPT>/'           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
 			'"</script>"'           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
 			'"</ScRiPt>"'           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
+			'Module tag'            => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
+			'Tag with type'         => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
+			'Tag with language'     => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
 		);
 	}
 }

From 092eecfae239c606dce49282150e214e8a1a237b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 19:08:52 +0200
Subject: [PATCH 14/18] Fix boolean => bool return type

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 8a84ab92c9f0b..9ebb1da31ec28 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3837,7 +3837,7 @@ static function ( $tag_match ) {
 	 *
 	 * @since {WP_VERSION}
 	 *
-	 * @return boolean True if the script tag will be evaluated as JavaScript.
+	 * @return bool True if the script tag will be evaluated as JavaScript.
 	 */
 	public function is_javascript_script_tag(): bool {
 		if ( 'SCRIPT' !== $this->get_tag() || $this->get_namespace() !== 'html' ) {

From ed224884e794b346124cd28a97903c2a7c66f1aa Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 19:11:09 +0200
Subject: [PATCH 15/18] Fix and improve tag processor comments

---
 .../html-api/class-wp-html-tag-processor.php       | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 9ebb1da31ec28..cbbbbdd3d3aaa 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3882,7 +3882,7 @@ public function is_javascript_script_tag(): bool {
 		 *
 		 * > A string is a JavaScript MIME type essence match if it is an ASCII case-insensitive
 		 * > match for one of the JavaScript MIME type essence strings.
-
+		 *
 		 * > A JavaScript MIME type is any MIME type whose essence is one of the following:
 		 * >
 		 * > - application/ecmascript
@@ -3902,8 +3902,8 @@ public function is_javascript_script_tag(): bool {
 		 * > - text/x-ecmascript
 		 * > - text/x-javascript
 		 *
-		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type
 		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type-essence-match
+		 * @see https://mimesniff.spec.whatwg.org/#javascript-mime-type
 		 */
 		switch ( strtolower( $type_string ) ) {
 			case 'application/ecmascript':
@@ -3925,11 +3925,11 @@ public function is_javascript_script_tag(): bool {
 				return true;
 
 			/*
-			* > Otherwise, if the script block's type string is an ASCII case-insensitive match for
-			* > the string "module", then set el's type to "module".
-			*
-			* A module is evaluated as JavaScript
-			*/
+			 * > Otherwise, if the script block's type string is an ASCII case-insensitive match for
+			 * > the string "module", then set el's type to "module".
+			 *
+			 * A module is evaluated as JavaScript.
+			 */
 			case 'module':
 				return true;
 		}

From 529afadbe562c50e2cc8d866c3642111d0cf3032 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 21:32:14 +0200
Subject: [PATCH 16/18] Improve and add tests

---
 .../wpHtmlTagProcessorModifiableText.php      | 41 +++++++++++--------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 854fbeff1cbd2..6a53d3e1bd479 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -448,13 +448,14 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
 	 * the structure of the containing element, such as in a script or comment.
 	 *
 	 * @ticket 61617
+	 * @ticket 62797
 	 *
 	 * @dataProvider data_unallowed_modifiable_text_updates
 	 *
 	 * @param string $html_with_nonempty_modifiable_text Will be used to find the test element.
 	 * @param string $invalid_update                     Update containing possibly-compromising text.
 	 */
-	public function test_rejects_updates_with_unallowed_substrings( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
+	public function test_rejects_dangerous_updates( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
 		$processor = new WP_HTML_Tag_Processor( $html_with_nonempty_modifiable_text );
 
 		while ( '' === $processor->get_modifiable_text() && $processor->next_token() ) {
@@ -486,15 +487,18 @@ public function test_rejects_updates_with_unallowed_substrings( string $html_wit
 	 */
 	public static function data_unallowed_modifiable_text_updates() {
 		return array(
-			'Comment with -->'                 => array( '<!-- this is a comment -->', 'Comments end in -->' ),
-			'Comment with --!>'                => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
-			'SCRIPT with </script>'            => array( '<script type="text/xml">Replace me</script>', 'Just a </script>' ),
-			'SCRIPT with </script attributes>' => array( '<script language="plaintext">Replace me</script>', 'before</script id=sneak>after' ),
+			'Comment with -->'                        => array( '<!-- this is a comment -->', 'Comments end in -->' ),
+			'Comment with --!>'                       => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
+			'Non-JS SCRIPT with <script>'             => array( '<script type="text/html">Replace me</script>', '<!-- Just a <script>' ),
+			'Non-JS SCRIPT with </script>'            => array( '<script type="text/html">Replace me</script>', 'Just a </script>' ),
+			'Non-JS SCRIPT with <script attributes>'  => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
+			'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
+
 		);
 	}
 
 	/**
-	 * Ensures that script tag contents are safely updated.
+	 * Ensures that JavaScript script tag contents are safely updated.
 	 *
 	 * @ticket 62797
 	 *
@@ -504,7 +508,7 @@ public static function data_unallowed_modifiable_text_updates() {
 	 * @param string $update   Update containing possibly-compromising text.
 	 * @param string $expected Expected result.
 	 */
-	public function test_safely_updates_dangerous_JavaScript_script_tag_contents( string $html, string $update, string $expected ) {
+	public function test_safely_updates_script_tag_contents( string $html, string $update, string $expected ) {
 		$processor = new WP_HTML_Tag_Processor( $html );
 		$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
 		$this->assertTrue( $processor->set_modifiable_text( $update ) );
@@ -518,17 +522,18 @@ public function test_safely_updates_dangerous_JavaScript_script_tag_contents( st
 	 */
 	public static function data_script_tag_text_updates(): array {
 		return array(
-			'Simple update'         => array( '<script></script>', '{}', '<script>{}</script>' ),
-			'Needs no replacement'  => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
-			'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
-			'1</script>/'           => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
-			'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
-			'1</SCRIPT>/'           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
-			'"</script>"'           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
-			'"</ScRiPt>"'           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
-			'Module tag'            => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
-			'Tag with type'         => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
-			'Tag with language'     => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
+			'Simple update'                         => array( '<script></script>', '{}', '<script>{}</script>' ),
+			'Needs no replacement'                  => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
+			'var script;1<script>0'                 => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
+			'1</script>/'                           => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
+			'var SCRIPT;1<SCRIPT>0'                 => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
+			'1</SCRIPT>/'                           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
+			'"</script>"'                           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
+			'"</ScRiPt>"'                           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
+			'Module tag'                            => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
+			'Tag with type'                         => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
+			'Tag with language'                     => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
+			'Non-JS script, save HTML-like content' => array( '<script type="text/html"></script>', '<h1>This & that</h1>', '<script type="text/html"><h1>This & that</h1></script>' ),
 		);
 	}
 }

From 981d8e15b0f0973f1ffabcf95ecde7371c8e5268 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 22:04:13 +0200
Subject: [PATCH 17/18] Add tests for \r and \r\n

These tricky sequences do terminate a tag name because they
are handled when normalizing newlines in pre-processing
(before tokenization).
---
 .../tests/html-api/wpHtmlTagProcessorModifiableText.php      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
index 6a53d3e1bd479..1830bb15711b2 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php
@@ -493,7 +493,6 @@ public static function data_unallowed_modifiable_text_updates() {
 			'Non-JS SCRIPT with </script>'            => array( '<script type="text/html">Replace me</script>', 'Just a </script>' ),
 			'Non-JS SCRIPT with <script attributes>'  => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
 			'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
-
 		);
 	}
 
@@ -530,6 +529,10 @@ public static function data_script_tag_text_updates(): array {
 			'1</SCRIPT>/'                           => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
 			'"</script>"'                           => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
 			'"</ScRiPt>"'                           => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
+			'Tricky script open tag with \r'        => array( '<script></script>', "<!-- <script\r>", "<script><!-- <\\u0073cript\r></script>" ),
+			'Tricky script open tag with \r\n'      => array( '<script></script>', "<!-- <script\r\n>", "<script><!-- <\\u0073cript\r\n></script>" ),
+			'Tricky script close tag with \r'       => array( '<script></script>', "// </script\r>", "<script>// </\\u0073cript\r></script>" ),
+			'Tricky script close tag with \r\n'     => array( '<script></script>', "// </script\r\n>", "<script>// </\\u0073cript\r\n></script>" ),
 			'Module tag'                            => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
 			'Tag with type'                         => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
 			'Tag with language'                     => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),

From a96d8ac6325f0b2767894a5e1953a4e417accfbd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 30 Jul 2025 22:11:32 +0200
Subject: [PATCH 18/18] Handle \r as tag name terminator

---
 src/wp-includes/functions.wp-scripts.php                 | 5 +++++
 src/wp-includes/html-api/class-wp-html-tag-processor.php | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/functions.wp-scripts.php b/src/wp-includes/functions.wp-scripts.php
index 49971b5bafe22..fced2ebaf9978 100644
--- a/src/wp-includes/functions.wp-scripts.php
+++ b/src/wp-includes/functions.wp-scripts.php
@@ -139,6 +139,11 @@ function wp_add_inline_script( $handle, $data, $position = 'after' ) {
 		(
 			"\t" === $data[7] ||
 			"\n" === $data[7] ||
+			/*
+			 * \r\n and \r are normalized to \n in HTML newline normalization.
+			 * Therefore, \r always behaves like \n and terminates a tag name.
+			 */
+			"\r" === $data[7] ||
 			"\f" === $data[7] ||
 			' ' === $data[7] ||
 			'/' === $data[7] ||
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index cbbbbdd3d3aaa..665ff702c0fcf 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3745,6 +3745,7 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 *     4. One of the following characters:
 				 *        - \t
 				 *        - \n
+				 *        - \r (\r and \r\n newlines are normalized to \n in HTML pre-processing)
 				 *        - \f
 				 *        - " " (U+0020 SPACE)
 				 *        - /
@@ -3752,7 +3753,7 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 				 *
 				 * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
 				 */
-				if ( preg_match( '~</?script[\t\n\f />]~i', $plaintext_content ) ) {
+				if ( preg_match( '~</?script[\t\r\n\f />]~i', $plaintext_content ) ) {
 					/*
 					 * JavaScript can be safely escaped.
 					 * Non-JavaScript script tags have unknown semantics.
@@ -3761,7 +3762,7 @@ public function set_modifiable_text( string $plaintext_content ): bool {
 					 */
 					if ( $this->is_javascript_script_tag() ) {
 						$plaintext_content = preg_replace_callback(
-							'~<(/?)(s)(cript)([\t\n\f />])~i',
+							'~<(/?)(s)(cript)([\t\r\n\f />])~i',
 							static function ( $matches ) {
 								$escaped_s_char = 's' === $matches[2]
 									? '\u0073'