[wp-trac] [WordPress Trac] #64637: wptexturize inconsistently encodes & to & in Custom HTML blocks, breaking JavaScript

WordPress Trac noreply at wordpress.org
Sat Feb 14 01:45:46 UTC 2026 

#64637: wptexturize inconsistently encodes & to & in Custom HTML blocks,
breaking JavaScript
--------------------------+-----------------------------
 Reporter:  noitidart     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The `wptexturize` function inconsistently converts `&` to `&` inside
 Custom HTML blocks, breaking JavaScript code that uses the `&&` operator.
 The inconsistency occurs when the JavaScript contains `<` comparison
 operators, which causes `wptexturize`'s regex-based parser to misidentify
 HTML tag boundaries.

 == Steps to Reproduce ==

 1. Create a post/page with a Custom HTML block
 2. Add the following JavaScript:

 {{{
 <script>
 (function() {
   if (5 < 1) {
     // never
   }

   if (true && true) {
     alert('if you see this alert - then the ampersands were not encoded')
   }
 })()
 </script>
 }}}

 3. View the page source on the frontend

 == Expected Behavior ==

 The `&&` operator should remain unchanged:

 {{{
 if (true && true) {
 }}}

 == Actual Behavior ==

 The `&&` operator gets encoded to `&&`:

 {{{
 if (true && true) {
 }}}

 This breaks the JavaScript with a syntax error.

 == Root Cause ==

 In `wp-includes/formatting.php`, `wptexturize()` uses regex to identify
 HTML tag boundaries. When JavaScript contains `<` characters (e.g., `if (5
 < 1)`), the parser incorrectly treats this as an HTML tag start, causing
 the `<script>` tag's content to be partially or fully processed by the
 ampersand-encoding regex at line 299:

 {{{
 $curl = preg_replace( '/&(?!#(?:\d+|x[a-f0-9]+);|[a-z1-4]{1,8};)/i',
 '&', $curl );
 }}}

 The `<script>` tag is in `$default_no_texturize_tags`, but the protection
 fails when the parser misidentifies tag boundaries.

 == Environment ==

 * WordPress: 6.9.1 (trunk)
 * Theme: Any block theme (Full Site Editing)
 * PHP: 8.x

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64637>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list