Properly escape inline <script>

Test Plan:
Loaded Phabricator page, checked the source code. Also:

    $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId=';
    echo CelerityStaticResourceResponse::renderInlineScript(
      jsprintf(
        'console.log(%s); // </script>
        %s',
        $c_uri,
        "</script><b>x</b>"));

Reviewers: epriestley, btrahan

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5741

src/applications/phame/view/PhamePostView.php

@@ -162,8 +162,7 @@ final class PhamePostView extends AphrontView {
       '');
 
     $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id;
-    $fb_js = hsprintf(
-      '<script>%s</script>',
+    $fb_js = CelerityStaticResourceResponse::renderInlineScript(
       jsprintf(
         '(function(d, s, id) {'.
         ' var js, fjs = d.getElementsByTagName(s)[0];'.
@@ -211,8 +210,7 @@ final class PhamePostView extends AphrontView {
       ));
 
     // protip - try some  var disqus_developer = 1; action to test locally
-    $disqus_js = hsprintf(
-      '<script>%s</script>',
+    $disqus_js = CelerityStaticResourceResponse::renderInlineScript(
       jsprintf(
         ' var disqus_shortname = "phabricator";'.
         ' var disqus_identifier = %s;'.

src/infrastructure/celerity/CelerityStaticResourceResponse.php

@@ -182,14 +182,24 @@ final class CelerityStaticResourceResponse {
 
     if ($data) {
       $data = implode("\n", $data);
-      return hsprintf(
-        '<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>',
-        phutil_safe_html($data));
+      return self::renderInlineScript($data);
     } else {
       return '';
     }
   }
 
+  public static function renderInlineScript($data) {
+    if (stripos($data, '</script>') !== false) {
+      throw new Exception(
+        'Literal </script> is not allowed inside inline script.');
+    }
+    return hsprintf(
+      // We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We
+      // would need to send the document with XHTML content type.
+      '<script type="text/javascript">%s</script>',
+      phutil_safe_html($data));
+  }
+
   public function buildAjaxResponse($payload, $error = null) {
     $response = array(
       'error'   => $error,

src/view/page/PhabricatorBarePageView.php

@@ -91,13 +91,14 @@ class PhabricatorBarePageView extends AphrontPageView {
 
     $response = CelerityAPI::getStaticResourceResponse();
 
+    $developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
     return hsprintf(
-      '%s%s%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s',
+      '%s%s%s%s%s',
       $viewport_tag,
       $icon_tag,
       $apple_tag,
-      $framebust,
-      (PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'),
+      CelerityStaticResourceResponse::renderInlineScript(
+        $framebust.jsprintf('window.__DEV__=%d;', ($developer ? 1 : 0))),
       $response->renderResourcesOfType('css'));
   }