added case-insensitive escaping for script tag

whisk · whisk · commit 51727b4428c8 · 2025-10-17T22:37:53.000+02:00
diff --git a/elements.go b/elements.go
@@ -253,8 +253,8 @@ func Meta(attrs attrs.Props) *Element {
 }
 
 // Script creates a <script> element.
-// According to https://html.spec.whatwg.org/multipage/scripting.html#the-script-element, only text nodes are allowed inside the <script> element.
-// Additionally, if the src attribute is present, children must be either empty or contain only comments. However, the original version of this function
+// According to https://html.spec.whatwg.org/multipage/scripting.html#the-script-element, no tags or comments are allowed inside the <script> element.
+// Additionally, if the src attribute is present, children must be either empty or contain only script comments. However, the original version of this function
 // allowed the use of any number of arbitrary elements. This is left as-is for backwards compatibility.
 func Script(attrs attrs.Props, children ...Node) *Element {
 	// Transform children to ScriptNodes to implement content escaping
diff --git a/elements_test.go b/elements_test.go
@@ -368,6 +368,10 @@ func TestScriptEscaping(t *testing.T) {
 	el = Script(attrs.Props{}, Raw(`alert("<script> and </script> tags must be properly escaped");`))
 	assert.Equal(t, expected, el.Render())
 
+	expected = `<script>alert("\x3CScripT> and \x3C/ScRiPt> are case-insensitive");</script>`
+	el = Script(attrs.Props{}, Raw(`alert("<ScripT> and </ScRiPt> are case-insensitive");`))
+	assert.Equal(t, expected, el.Render())
+
 	expected = `<script>alert("\x3C!-- comment openings must be escaped too");</script>`
 	el = Script(attrs.Props{}, Raw(`alert("<!-- comment openings must be escaped too");`))
 	assert.Equal(t, expected, el.Render())
diff --git a/utils.go b/utils.go
@@ -1,6 +1,9 @@
 package elem
 
-import "strings"
+import (
+	"regexp"
+	"strings"
+)
 
 // nodeContentReplacer handles escaping of HTML special characters in text nodes
 // note that single and double quotes (', ") do not need escaping in HTML5 text nodes
@@ -18,12 +21,6 @@ var commentContentsReplacer = strings.NewReplacer(
 	"--!>", "--!&gt;",
 )
 
-var scriptContentsReplaces = strings.NewReplacer(
-	"<!--", "\\x3C!--",
-	"<script", "\\x3Cscript",
-	"</script", "\\x3C/script",
-)
-
 // If conditionally renders one of the provided elements based on the condition
 func If[T any](condition bool, ifTrue, ifFalse T) T {
 	if condition {
@@ -74,7 +71,12 @@ func EscapeCommentContents(s string) string {
 	return s
 }
 
+// scriptContentsRegexp matches <script and </script case-insensitively
+var scriptContentsRegexp = regexp.MustCompile(`(?i)<(/?)(script)`)
+
 // EscapeScriptContents escapes the contents of a script node according to https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
 func EscapeScriptContents(s string) string {
-	return scriptContentsReplaces.Replace(s)
+	s = strings.ReplaceAll(s, `<!--`, `\x3C!--`)
+	s = scriptContentsRegexp.ReplaceAllString(s, `\x3C$1$2`)
+	return s
 }
