fix(codgen): escape </script for template literals and comments

xu-cheng · xu-cheng · commit 8d800f6bcc36 · 2025-06-18T11:56:25.000-07:00
diff --git a/crates/oxc_codegen/src/comment.rs b/crates/oxc_codegen/src/comment.rs
@@ -128,15 +128,15 @@ impl Codegen<'_> {
         let comment_source = comment.span.source_text(source_text);
         match comment.kind {
             CommentKind::Line => {
-                self.print_str(comment_source);
+                self.print_str_escaping_slash_script(comment_source);
             }
             CommentKind::Block => {
                 // Print block comments with our own indentation.
                 for line in comment_source.split(is_line_terminator) {
                     if !line.starts_with("/*") {
                         self.print_indent();
                     }
-                    self.print_str(line.trim_start());
+                    self.print_str_escaping_slash_script(line.trim_start());
                     if !line.ends_with("*/") {
                         self.print_hard_newline();
                     }
diff --git a/crates/oxc_codegen/src/gen.rs b/crates/oxc_codegen/src/gen.rs
@@ -2082,7 +2082,7 @@ impl Gen for TemplateLiteral<'_> {
 
         for quasi in &self.quasis {
             p.add_source_mapping(quasi.span);
-            p.print_str(quasi.value.raw.as_str());
+            p.print_str_escaping_slash_script(quasi.value.raw.as_str());
 
             if let Some(expr) = expressions.next() {
                 p.print_str("${");
diff --git a/crates/oxc_codegen/src/lib.rs b/crates/oxc_codegen/src/lib.rs
@@ -230,6 +230,62 @@ impl<'a> Codegen<'a> {
         self.code.print_str(s);
     }
 
+    /// Push str into the buffer, escaping `</script` to `<\/script`.
+    #[inline]
+    #[expect(clippy::missing_panics_doc, reason = "infallible")]
+    pub fn print_str_escaping_slash_script(&mut self, s: &str) {
+        let slice = s.as_bytes();
+        let mut consumed = 0;
+        let mut i = 0;
+
+        while i < slice.len() {
+            if slice[i] != b'<' {
+                i += 1;
+                continue;
+            }
+
+            // SAFETY:
+            // The slice guarantees to be a valid UTF-8 string.
+            // The consumed index is always pointed to a UTF-8 char boundary.
+            // Current byte is `<`, thus i - 1 is also at a UTF-8 char boundary.
+            unsafe {
+                self.code.print_bytes_unchecked(&slice[consumed..i]);
+            }
+            consumed = i;
+
+            // We have to check 2nd byte separately as `next8_lower_case == *b"</script"`
+            // would also match `<\x0Fscript` (0xF | 32 == b'/').
+            if slice.len() >= 8 + i && slice[i + 1] == b'/' {
+                // Compiler condenses these operations to an 8-byte read, u64 AND, and u64 compare.
+                // https://godbolt.org/z/9ndYnbj53
+                //
+                // TODO: use the following expect after it is fixed in stable clippy.
+                // https://github.com/rust-lang/rust-clippy/issues/14534
+                // #[expect(clippy::missing_panics_doc, reason = "infallible")]
+                let next8: [u8; 8] = slice[i..i + 8].try_into().unwrap();
+                let mut next8_lower_case = [0; 8];
+                for j in 0..8 {
+                    // `| 32` converts ASCII upper case letters to lower case. `<` and `/` are unaffected.
+                    next8_lower_case[j] = next8[j] | 32;
+                }
+                if next8_lower_case == *b"</script" {
+                    self.code.print_str("<\\/");
+                    consumed += 2;
+                }
+                i += 8;
+            } else {
+                i += 1;
+            }
+        }
+
+        // SAFETY:
+        // The slice guarantees to be a valid UTF-8 string.
+        // The consumed index is always pointed to a UTF-8 char boundary.
+        unsafe {
+            self.code.print_bytes_unchecked(&slice[consumed..]);
+        }
+    }
+
     /// Print a single [`Expression`], adding it to the code generator's
     /// internal buffer. Unlike [`Codegen::build`], this does not consume `self`.
     #[inline]
diff --git a/crates/oxc_codegen/tests/integration/esbuild.rs b/crates/oxc_codegen/tests/integration/esbuild.rs
@@ -1014,7 +1014,6 @@ fn test_jsx_single_line() {
 }
 
 #[test]
-#[ignore]
 fn test_avoid_slash_script() {
     // Positive cases
     test("x = '</script'", "x = \"<\\/script\";\n");
@@ -1034,29 +1033,14 @@ fn test_avoid_slash_script() {
     test("//! </script\n//! >/script\n//! /script", "//! <\\/script\n//! >/script\n//! /script\n");
     test("//! </SCRIPT\n//! >/SCRIPT\n//! /SCRIPT", "//! <\\/SCRIPT\n//! >/SCRIPT\n//! /SCRIPT\n");
     test("//! </ScRiPt\n//! >/ScRiPt\n//! /ScRiPt", "//! <\\/ScRiPt\n//! >/ScRiPt\n//! /ScRiPt\n");
-    test("/*! </script \n </script */", "/*! <\\/script \n <\\/script */\n");
-    test("/*! </SCRIPT \n </SCRIPT */", "/*! <\\/SCRIPT \n <\\/SCRIPT */\n");
-    test("/*! </ScRiPt \n </ScRiPt */", "/*! <\\/ScRiPt \n <\\/ScRiPt */\n");
-    test(
-        "String.raw`</script`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/script\"])));\n",
-    );
-    test(
-        "String.raw`</script${a}`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/script\", \"\"])), a);\n",
-    );
-    test(
-        "String.raw`${a}</script`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"\", \"<\\/script\"])), a);\n",
-    );
-    test(
-        "String.raw`</SCRIPT`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/SCRIPT\"])));\n",
-    );
-    test(
-        "String.raw`</ScRiPt`",
-        "import { __template } from \"<runtime>\";\nvar _a;\nString.raw(_a || (_a = __template([\"<\\/ScRiPt\"])));\n",
-    );
+    test("/*! </script \n</script */", "/*! <\\/script \n<\\/script */");
+    test("/*! </SCRIPT \n</SCRIPT */", "/*! <\\/SCRIPT \n<\\/SCRIPT */");
+    test("/*! </ScRiPt \n</ScRiPt */", "/*! <\\/ScRiPt \n<\\/ScRiPt */");
+    test("String.raw`</script`", "String.raw`<\\/script`;\n");
+    test("String.raw`</script${a}`", "String.raw`<\\/script${a}`;\n");
+    test("String.raw`${a}</script`", "String.raw`${a}<\\/script`;\n");
+    test("String.raw`</SCRIPT`", "String.raw`<\\/SCRIPT`;\n");
+    test("String.raw`</ScRiPt`", "String.raw`<\\/ScRiPt`;\n");
 
     // Negative cases
     test("x = '</'", "x = \"</\";\n");

Original file line number	Diff line number	Diff line change
`@@ -128,15 +128,15 @@ impl Codegen<'_> {`
`128`	`128`	`let comment_source = comment.span.source_text(source_text);`
`129`	`129`	`match comment.kind {`
`130`	`130`	`CommentKind::Line => {`
`131`		`- self.print_str(comment_source);`
	`131`	`+ self.print_str_escaping_slash_script(comment_source);`
`132`	`132`	`}`
`133`	`133`	`CommentKind::Block => {`
`134`	`134`	`// Print block comments with our own indentation.`
`135`	`135`	`for line in comment_source.split(is_line_terminator) {`
`136`	`136`	`if !line.starts_with("/*") {`
`137`	`137`	`self.print_indent();`
`138`	`138`	`}`
`139`		`- self.print_str(line.trim_start());`
	`139`	`+ self.print_str_escaping_slash_script(line.trim_start());`
`140`	`140`	`if !line.ends_with("*/") {`
`141`	`141`	`self.print_hard_newline();`
`142`	`142`	`}`