From 2ec27eb0382d811b8dc2a9044ef802031e44db97 Mon Sep 17 00:00:00 2001
From: Timo Tijhof <krinklemail@gmail.com>
Date: Mon, 20 Aug 2018 01:14:46 +0100
Subject: [PATCH] resourceloader: Refuse to preview content with </script>

Bug: T200506
Change-Id: I4ab5fbb0f5413aad24360169ba635672ce8d9c8e
---
 includes/OutputPage.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 3675e8a4ee..4f12e0cfd0 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2754,6 +2754,18 @@ class OutputPage extends ContextSource {
 					foreach ( $this->contentOverrideCallbacks as $callback ) {
 						$content = $callback( $title );
 						if ( $content !== null ) {
+							$text = ContentHandler::getContentText( $content );
+							if ( strpos( $text, '</script>' ) !== false ) {
+								// Proactively replace this so that we can display a message
+								// to the user, instead of letting it go to Html::inlineScript(),
+								// where it would be considered a server-side issue.
+								$titleFormatted = $title->getPrefixedText();
+								$content = new JavaScriptContent(
+									Xml::encodeJsCall( 'mw.log.error', [
+										"Cannot preview $titleFormatted due to script-closing tag."
+									] )
+								);
+							}
 							return $content;
 						}
 					}
-- 
2.20.1