OutputPage: Use the same script tag pattern as Html::inlineScript()

Not sure why they are different in the first place, probably a mistake.

The `user` and `site` modules would be embeded as a string, so can be
previewed with <script> etc escaped properly, leaving the bug only
reproducible with User/global.js via the GlobalCssJs extension.

Bug: T360258
Change-Id: I61a3d9926dbfd7630c37bebd9d46fa49b05a4fc6

1 files changed, 4 insertions, 4 deletions

diff --git a/includes/Output/OutputPage.php b/includes/Output/OutputPage.php
index ba46af15274e..225b94012554 100644
--- a/includes/Output/OutputPage.php
+++ b/includes/Output/OutputPage.php
@@ -3404,18 +3404,18 @@ class OutputPage extends ContextSource {
 			);
 			if ( $this->contentOverrideCallbacks ) {
 				$this->rlClientContext = new RL\DerivativeContext( $this->rlClientContext );
-				$this->rlClientContext->setContentOverrideCallback( function ( $title ) {
+				$this->rlClientContext->setContentOverrideCallback( function ( $page ) {
 					foreach ( $this->contentOverrideCallbacks as $callback ) {
-						$content = $callback( $title );
+						$content = $callback( $page );
 						if ( $content !== null ) {
 							$text = ( $content instanceof TextContent ) ? $content->getText() : '';
-							if ( strpos( $text, '</script>' ) !== false ) {
+							if ( preg_match( '/<\/?script/i', $text ) ) {
 								// Proactively replace this so that we can display a message
 								// to the user, instead of letting it go to Html::inlineScript(),
 								// where it would be considered a server-side issue.
 								$content = new JavaScriptContent(
 									Html::encodeJsCall( 'mw.log.error', [
-										"Cannot preview $title due to script-closing tag."
+										"Cannot preview $page due to suspecting script tag inside (T200506)."
 									] )
 								);
 							}