HTML API: Preserve XMP rawtext serialization

[sirreal]

Summary

• Treat HTML XMP contents like other rawtext serialization paths so raw <, >, and & are preserved.
• Add focused serialization coverage for XMP rawtext and a fuzzer idempotence case using entity-looking text.

Root Cause

WP_HTML_Processor::serialize_token() flushed HTML XMP as a self-contained element, but allowed it to fall through to the escaped text/RCDATA path. That changed rawtext semantics and made normalization non-idempotent for inputs such as <xmp>apples > oranges &amp; <</xmp>.

Validation

• WP_TESTS_SKIP_INSTALL=1 ./vendor/bin/phpunit --group html-api,html-api-html5lib-tests
• ./vendor/bin/phpcs src/wp-includes/html-api/class-wp-html-processor.php tests/phpunit/tests/html-api/wpHtmlProcessor-serialize.php
• codex-review-loop before final rebase: zero actionable findings on the XMP diff; a second post-rebase attempt was blocked by sandbox/external-review approval, with the remote compare confirming the final PR diff is the same two-file XMP change.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props jonsurrell.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[sirreal]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[sirreal]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}