Skip to content

fix: self-closing script tag fixed for TinyMceEditor #2510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 6, 2025
Merged

fix: self-closing script tag fixed for TinyMceEditor #2510

merged 3 commits into from
Nov 6, 2025

Conversation

@marslanabdulrauf
Copy link
Contributor

@marslanabdulrauf marslanabdulrauf commented Oct 6, 2025

Related Ticket (internal)

https://github.com/mitodl/hq/issues/7208

Description

In some scenarios the script tag is automatically enclosing other html content when used in a text component. Take for example this simple piece of html:

<script type="text/javascript" src="/asset-v1:TestX+8.13_testing+2025_Spring+type@asset+block@print_styles.js"/>
<p>This is content</p>

if that is put into a text component using the HTML editor, then problems arise, see screenshots:


Basically what happens is the editor is deciding that the script tag needs closed, it then saves the html as:

<p>
<script type="text/javascript" src="/asset-v1:TestX+8.13_testing+2025_Spring+type@asset+block@print_styles.js">
<p>This is content</p></script>
</p>

Testing instructions

  1. Follow the steps from Description and you shouldn't see any malformed HTML now instead you should see This is content in the editor

Best Practices Checklist

We're trying to move away from some deprecated patterns in this codebase. Please
check if your PR meets these recommendations before asking for a review:

  • Any new files are using TypeScript (.ts, .tsx).
  • Deprecated propTypes, defaultProps, and injectIntl patterns are not used in any new or modified code.
  • Tests should use the helpers in src/testUtils.tsx (specifically initializeMocks)
  • Do not add new fields to the Redux state/store. Use React Context to share state among multiple components.
  • Use React Query to load data from REST APIs. See any apiHooks.ts in this repo for examples.
  • All new i18n messages in messages.ts files have a description for translators to use.
  • Imports avoid using ../. To import from parent folders, use @src, e.g. import { initializeMocks } from '@src/testUtils'; instead of from '../../../../testUtils'

@openedx-webhooks
Copy link

openedx-webhooks commented Oct 6, 2025

Thanks for the pull request, @marslanabdulrauf!

This repository is currently maintained by @bradenmacdonald.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@openedx-webhooks openedx-webhooks added the open-source-contribution PR author is not from Axim or 2U label Oct 6, 2025
@github-project-automation github-project-automation bot moved this to Needs Triage in Contributions Oct 6, 2025
@bradenmacdonald
Copy link
Contributor

bradenmacdonald commented Oct 6, 2025
edited
Loading

A self-closing script tag is not valid in HTML 5 (and meaningless in HTML4), and is only valid in XHTML if it is served with the correct MIME type from the server, which our XBlocks probably aren't. So I don't see why we would try to support this. <script> tags intentionally allow HTML/text to be inside, to be rendered when the user has JavaScript turned off. That's unlikely/impossible to happen in this case, but it's a reasonable assumption of the text editor that you're trying to specify the alternate text for the script tag ("This is content").

So: I don't think we want to encourage users to write self-closing tags, nor care what happens if they do.

However, if this is a change in behavior and is breaking existing course content, that would be a different story.

@mphilbrick211 mphilbrick211 moved this from Needs Triage to Waiting on Author in Contributions Oct 6, 2025
@mphilbrick211
Copy link

mphilbrick211 commented Oct 29, 2025

A self-closing script tag is not valid in HTML 5 (and meaningless in HTML4), and is only valid in XHTML if it is served with the correct MIME type from the server, which our XBlocks probably aren't. So I don't see why we would try to support this. <script> tags intentionally allow HTML/text to be inside, to be rendered when the user has JavaScript turned off. That's unlikely/impossible to happen in this case, but it's a reasonable assumption of the text editor that you're trying to specify the alternate text for the script tag ("This is content").

So: I don't think we want to encourage users to write self-closing tags, nor care what happens if they do.

However, if this is a change in behavior and is breaking existing course content, that would be a different story.

Friendly ping on this, @marslanabdulrauf!

@kboots-mit
Copy link

kboots-mit commented Nov 5, 2025

A self-closing script tag is not valid in HTML 5 (and meaningless in HTML4), and is only valid in XHTML if it is served with the correct MIME type from the server, which our XBlocks probably aren't. So I don't see why we would try to support this. <script> tags intentionally allow HTML/text to be inside, to be rendered when the user has JavaScript turned off. That's unlikely/impossible to happen in this case, but it's a reasonable assumption of the text editor that you're trying to specify the alternate text for the script tag ("This is content").

So: I don't think we want to encourage users to write self-closing tags, nor care what happens if they do.

However, if this is a change in behavior and is breaking existing course content, that would be a different story.

I agree that we shouldn't encourage writing self closing script tags, but

They are allowed in other types of components.
It is a change in behavior. This wasn't the behavior in the past
It is breaking existing content

@bradenmacdonald
Copy link
Contributor

bradenmacdonald commented Nov 5, 2025

OK, if it's a change in behavior that's breaking existing content, we can merge this.

Could you first please get the lints passing? The < and > characters in the regex do not need to be escaped with \. And please also update the comment to say something like // protect self-closing <script /> tags from being mangled, to preserve backwards compatibility with content that relied on this behavior

Then I will merge.

@marslanabdulrauf marslanabdulrauf force-pushed the marslan/7208-self-closing-script branch from 33e7f07 to 0116611 Compare November 5, 2025 21:44
@marslanabdulrauf
Copy link
Contributor Author

marslanabdulrauf commented Nov 5, 2025

@bradenmacdonald its ready for review now

@bradenmacdonald
Copy link
Contributor

bradenmacdonald commented Nov 5, 2025

@marslanabdulrauf I just need you to split that comment into two lines, please - the lint check is failing because the line is now too long. Make sure that npm run lint is passing locally before you push your changes.

bradenmacdonald
bradenmacdonald approved these changes Nov 5, 2025
View reviewed changes
Copy link
Contributor

@bradenmacdonald bradenmacdonald left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this manually and confirmed it works around the issue. I can merge as soon as the code is updated to pass the lint checks.

(Though I would encourage everyone to avoid using self-closing tags of any sort in HTML, and especially <script /> tags in particular.)

@codecov
Copy link

codecov bot commented Nov 6, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.82%. Comparing base (5cda284) to head (76624d9).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2510   +/-   ##
=======================================
  Coverage   94.82%   94.82%           
=======================================
  Files        1226     1226           
  Lines       27557    27559    +2     
  Branches     6209     6213    +4     
=======================================
+ Hits        26131    26133    +2     
  Misses       1355     1355           
  Partials       71       71

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bradenmacdonald bradenmacdonald merged commit 6afe609 into openedx:master Nov 6, 2025
7 checks passed
@github-project-automation github-project-automation bot moved this from Waiting on Author to Done in Contributions Nov 6, 2025
@bradenmacdonald
Copy link
Contributor

bradenmacdonald commented Nov 6, 2025

Thanks @marslanabdulrauf ! Could you please backport this to Ulmo too?

@marslanabdulrauf marslanabdulrauf mentioned this pull request Nov 7, 2025
Open
@marslanabdulrauf
Copy link
Contributor Author

marslanabdulrauf commented Nov 7, 2025

Thanks @marslanabdulrauf ! Could you please backport this to Ulmo too?

yes, here is thebackport PR for this: #2608

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bradenmacdonald bradenmacdonald bradenmacdonald approved these changes

Assignees

No one assigned

Labels

open-source-contribution PR author is not from Axim or 2U

Projects

Contributions
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@marslanabdulrauf @openedx-webhooks @bradenmacdonald @mphilbrick211 @kboots-mit