fix(codgen): escape </script for template literals and comments

Author: xu-cheng

crates/oxc_codegen/src/comment.rs

@@ -128,15 +128,15 @@ impl Codegen<'_> {
         let comment_source = comment.span.source_text(source_text);
         match comment.kind {
             CommentKind::Line => {
-                self.print_str(comment_source);
+                self.print_str_escaping_script_close_tag(comment_source);
             }
             CommentKind::Block => {
                 // Print block comments with our own indentation.
                 for line in comment_source.split(is_line_terminator) {
                     if !line.starts_with("/*") {
                         self.print_indent();
                     }
-                    self.print_str(line.trim_start());
+                    self.print_str_escaping_script_close_tag(line.trim_start());
                     if !line.ends_with("*/") {
                         self.print_hard_newline();
                     }

crates/oxc_codegen/src/gen.rs

@@ -2082,7 +2082,7 @@ impl Gen for TemplateLiteral<'_> {
 
         for quasi in &self.quasis {
             p.add_source_mapping(quasi.span);
-            p.print_str(quasi.value.raw.as_str());
+            p.print_str_escaping_script_close_tag(quasi.value.raw.as_str());
 
             if let Some(expr) = expressions.next() {
                 p.print_str("${");

crates/oxc_codegen/src/lib.rs

@@ -26,8 +26,11 @@ use oxc_syntax::{
 };
 
 use crate::{
-    binary_expr_visitor::BinaryExpressionVisitor, comment::CommentsMap, operator::Operator,
-    sourcemap_builder::SourcemapBuilder, str::Quote,
+    binary_expr_visitor::BinaryExpressionVisitor,
+    comment::CommentsMap,
+    operator::Operator,
+    sourcemap_builder::SourcemapBuilder,
+    str::{Quote, is_script_close_tag},
 };
 pub use crate::{
     context::Context,
@@ -230,6 +233,39 @@ impl<'a> Codegen<'a> {
         self.code.print_str(s);
     }
 
+    /// Push str into the buffer, escaping `</script` to `<\/script`.
+    #[inline]
+    pub fn print_str_escaping_script_close_tag(&mut self, s: &str) {
+        let slice = s.as_bytes();
+        let mut consumed = 0;
+        let mut i = 0;
+
+        // Only check when remaining string has length larger than 8.
+        while i + 8 <= slice.len() {
+            if is_script_close_tag(&slice[i..i+8]) {
+                // Push up to and including `<`. Skip `/`. Write `\/` instead.
+                // SAFETY:
+                // The slice guarantees to be a valid UTF-8 string.
+                // The consumed index is always pointed to a UTF-8 char boundary.
+                // Current byte is `<`, thus i - 1 is also at a UTF-8 char boundary.
+                unsafe {
+                    self.code.print_bytes_unchecked(&slice[consumed..=i]);
+                }
+                self.code.print_str("\\/");
+                consumed = i + 2;
+                i += 8;
+            }
+            i += 1;
+        }
+
+        // SAFETY:
+        // The slice guarantees to be a valid UTF-8 string.
+        // The consumed index is always pointed to a UTF-8 char boundary.
+        unsafe {
+            self.code.print_bytes_unchecked(&slice[consumed..]);
+        }
+    }
+
     /// Print a single [`Expression`], adding it to the code generator's
     /// internal buffer. Unlike [`Codegen::build`], this does not consume `self`.
     #[inline]

crates/oxc_codegen/src/str.rs

@@ -592,29 +592,16 @@ unsafe fn print_less_than(codegen: &mut Codegen, state: &mut PrintStringState) {
     // SAFETY: Next byte is `<`, which is ASCII
     unsafe { state.consume_byte_unchecked() };
 
-    // We have to check 2nd byte separately as `next8_lower_case == *b"</script"`
-    // would also match `<\x0Fscript` (0xF | 32 == b'/').
-    if slice.len() >= 8 && slice[1] == b'/' {
-        // Compiler condenses these operations to an 8-byte read, u64 AND, and u64 compare.
-        // https://godbolt.org/z/9ndYnbj53
-        let next8: [u8; 8] = slice[0..8].try_into().unwrap();
-        let mut next8_lower_case = [0; 8];
-        for i in 0..8 {
-            // `| 32` converts ASCII upper case letters to lower case. `<` and `/` are unaffected.
-            next8_lower_case[i] = next8[i] | 32;
-        }
-
-        if next8_lower_case == *b"</script" {
-            // Flush up to and including `<`. Skip `/`. Write `\/` instead. Then skip over `script`.
-            // Next chunk starts with `script`.
-            // SAFETY: We already consumed `<`. Next byte is `/`, which is ASCII.
-            unsafe { state.flush_and_consume_byte(codegen) };
-            // SAFETY: `slice.len() >= 8` check above ensures there are 6 bytes left, after consuming 2 already.
-            // `script` / `SCRIPT` is all ASCII bytes, so skipping them leaves `bytes` iterator
-            // positioned on UTF-8 char boundary.
-            unsafe { state.consume_bytes_unchecked::<6>() };
-            codegen.print_str("\\/");
-        }
+    if slice.len() >= 8 && is_script_close_tag(&slice[0..8]) {
+        // Flush up to and including `<`. Skip `/`. Write `\/` instead. Then skip over `script`.
+        // Next chunk starts with `script`.
+        // SAFETY: We already consumed `<`. Next byte is `/`, which is ASCII.
+        unsafe { state.flush_and_consume_byte(codegen) };
+        codegen.print_str("\\/");
+        // SAFETY: The check above ensures there are 6 bytes left, after consuming 2 already.
+        // `script` / `SCRIPT` is all ASCII bytes, so skipping them leaves `bytes` iterator
+        // positioned on UTF-8 char boundary.
+        unsafe { state.consume_bytes_unchecked::<6>() };
     }
 }
 
@@ -735,3 +722,20 @@ unsafe fn print_lossy_replacement(codegen: &mut Codegen, state: &mut PrintString
 pub fn cold_branch<F: FnOnce() -> T, T>(f: F) -> T {
     f()
 }
+
+/// Check if the slice is `</script` regardless of case.
+pub fn is_script_close_tag(slice: &[u8]) -> bool {
+    if slice.len() == 8 {
+        // Compiler condenses these operations to an 8-byte read, u64 AND, and u64 compare.
+        // https://godbolt.org/z/oGG16fK6v
+        let mut slice: [u8; 8] = slice.try_into().unwrap();
+        for b in slice.iter_mut().skip(2) {
+            // `| 32` converts ASCII upper case letters to lower case.
+            *b |= 32;
+        }
+
+        slice == *b"</script"
+    } else {
+        false
+    }
+}

crates/oxc_codegen/tests/integration/esbuild.rs

@@ -1014,7 +1014,6 @@ fn test_jsx_single_line() {
 }
 
 #[test]
-#[ignore]
 fn test_avoid_slash_script() {
     // Positive cases
     test("x = '</script'", "x = \"<\\/script\";\n");
@@ -1027,36 +1026,23 @@ fn test_avoid_slash_script() {
     test("x = `</ScRiPt`", "x = `<\\/ScRiPt`;\n");
     test("x = `</script${y}`", "x = `<\\/script${y}`;\n");
     test("x = `${y}</script`", "x = `${y}<\\/script`;\n");
+    test("x = `<</script`", "x = `<<\\/script`;\n");
+    test("x = `</</script`", "x = `</<\\/script`;\n");
     test_minify("x = 1 < /script/.exec(y).length", "x=1< /script/.exec(y).length;");
     test_minify("x = 1 < /SCRIPT/.exec(y).length", "x=1< /SCRIPT/.exec(y).length;");
     test_minify("x = 1 < /ScRiPt/.exec(y).length", "x=1< /ScRiPt/.exec(y).length;");
     test_minify("x = 1 << /script/.exec(y).length", "x=1<< /script/.exec(y).length;");
     test("//! </script\n//! >/script\n//! /script", "//! <\\/script\n//! >/script\n//! /script\n");
     test("//! </SCRIPT\n//! >/SCRIPT\n//! /SCRIPT", "//! <\\/SCRIPT\n//! >/SCRIPT\n//! /SCRIPT\n");
     test("//! </ScRiPt\n//! >/ScRiPt\n//! /ScRiPt", "//! <\\/ScRiPt\n//! >/ScRiPt\n//! /ScRiPt\n");
-    test("/*! </script \n </script */", "/*! <\\/script \n <\\/script */\n");
-    test("/*! </SCRIPT \n </SCRIPT */", "/*! <\\/SCRIPT \n <\\/SCRIPT */\n");
-    test("/*! </ScRiPt \n </ScRiPt */", "/*! <\\/ScRiPt \n <\\/ScRiPt */\n");
-    test(
-        "String.raw`</script`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/script\"])));\n",
-    );
-    test(
-        "String.raw`</script${a}`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/script\", \"\"])), a);\n",
-    );
-    test(
-        "String.raw`${a}</script`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"\", \"<\\/script\"])), a);\n",
-    );
-    test(
-        "String.raw`</SCRIPT`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/SCRIPT\"])));\n",
-    );
-    test(
-        "String.raw`</ScRiPt`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/ScRiPt\"])));\n",
-    );
+    test("/*! </script \n</script */", "/*! <\\/script \n<\\/script */");
+    test("/*! </SCRIPT \n</SCRIPT */", "/*! <\\/SCRIPT \n<\\/SCRIPT */");
+    test("/*! </ScRiPt \n</ScRiPt */", "/*! <\\/ScRiPt \n<\\/ScRiPt */");
+    test("String.raw`</script`", "String.raw`<\\/script`;\n");
+    test("String.raw`</script${a}`", "String.raw`<\\/script${a}`;\n");
+    test("String.raw`${a}</script`", "String.raw`${a}<\\/script`;\n");
+    test("String.raw`</SCRIPT`", "String.raw`<\\/SCRIPT`;\n");
+    test("String.raw`</ScRiPt`", "String.raw`<\\/ScRiPt`;\n");
 
     // Negative cases
     test("x = '</'", "x = \"</\";\n");