HTML API: Stop escaping XMP contents when serializing.

XMP contents are raw text in which character references are never
decoded. Escaping them changed document contents across a
serialize/re-parse cycle: `<xmp>1 < 2</xmp>` serialized as
`<xmp>1 &lt; 2</xmp>`, which re-parses as the literal text "1 &lt; 2".

XMP contents now serialize literally like the other raw text elements,
following the HTML fragment serialization algorithm.

See #65372.

Author: sirreal

src/wp-includes/html-api/class-wp-html-processor.php

@@ -1347,8 +1347,8 @@ public function serialize(): ?string {
 	 *
 	 * @since 6.7.0
 	 * @since 6.9.0 Converted from protected to public method.
-	 * @since 7.1.0 Contents of IFRAME, NOEMBED, and NOFRAMES elements are
-	 *              serialized literally instead of being dropped.
+	 * @since 7.1.0 Contents of IFRAME, NOEMBED, NOFRAMES, and XMP elements are
+	 *              serialized literally instead of being dropped or escaped.
 	 *
 	 * @return string Serialization of token, or empty string if no serialization exists.
 	 */
@@ -1503,7 +1503,7 @@ public function serialize_token(): string {
 				 *
 				 * This is safe because character references are never decoded in
 				 * their contents. RAWTEXT contents (IFRAME, NOEMBED, NOFRAMES,
-				 * STYLE) cannot contain their own closing tag, so the closer
+				 * STYLE, XMP) cannot contain their own closing tag, so the closer
 				 * appended below cannot be matched early. SCRIPT data may contain
 				 * escaped closers (e.g. within `<!-- -->`), but re-parsing the
 				 * identical bytes follows the same tokenization rules that produced
@@ -1516,8 +1516,14 @@ public function serialize_token(): string {
 				case 'NOFRAMES':
 				case 'SCRIPT':
 				case 'STYLE':
+				case 'XMP':
 					break;
 
+				/*
+				 * The contents of TEXTAREA and TITLE are parsed as RCDATA, in which
+				 * character references are decoded, so the decoded modifiable text
+				 * must be re-escaped to preserve the document's contents.
+				 */
 				default:
 					$text = htmlspecialchars( $text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
 			}

tests/phpunit/tests/html-api/wpHtmlProcessor-serialize.php

@@ -134,6 +134,23 @@ public function test_style_contents_are_not_escaped() {
 		);
 	}
 
+	/**
+	 * Ensures that XMP contents are not escaped, as they are not parsed like text nodes are.
+	 *
+	 * XMP contents are parsed as raw text: character references are never decoded.
+	 * Escaping the contents would change the document, e.g. a "<" would be replaced
+	 * by the literal text "&lt;" after serializing and re-parsing.
+	 *
+	 * @ticket 65372
+	 */
+	public function test_xmp_contents_are_not_escaped() {
+		$this->assertSame(
+			"<xmp>1 < 2 &amp; apples > or\u{FFFD}anges</xmp>",
+			WP_HTML_Processor::normalize( "<xmp>1 < 2 &amp; apples > or\x00anges</xmp>" ),
+			'Should have preserved text inside an XMP element, except for replacing NULL bytes.'
+		);
+	}
+
 	/**
 	 * Ensures that the contents of IFRAME, NOEMBED, and NOFRAMES elements are
 	 * preserved when serializing.
@@ -379,6 +396,7 @@ public static function data_tokens_with_null_bytes() {
 			'IFRAME content'       => array( "<iframe>a\x00b</iframe>", "<iframe>a\u{FFFD}b</iframe>" ),
 			'NOEMBED content'      => array( "<noembed>a\x00b</noembed>", "<noembed>a\u{FFFD}b</noembed>" ),
 			'NOFRAMES content'     => array( "<noframes>a\x00b</noframes>", "<noframes>a\u{FFFD}b</noframes>" ),
+			'XMP content'          => array( "<xmp>a\x00b</xmp>", "<xmp>a\u{FFFD}b</xmp>" ),
 			'Comment text'         => array( "<!-- \x00 -->", "<!-- \u{FFFD} -->" ),
 		);
 	}