Nested script tags are not properly escaped

[jbrichau]

Adding the following snippet to a Seaside render method breaks the generated html because the closing script tag in the jQuery append expression is not properly escaped.

html anchor script:
	((html jQuery this closest: 'div') append: [ :r |
		 r div script: (html jQuery this
				  on: 'click'
				  selector: '.class'
				  do: (JSStream on: 'alert(''nested script''')) ])

In Seaside 3.0, the method https://github.com/SeasideSt/Seaside/blob/61f25aa0e8b820cf1e3d554ef8bcceb12e307233/Javascript-Core.package/JSStream.class/class/encodeString.on..st used to contain code that escapes closing of nested tags:

"avoid that browsers mistakenly take the output as a closing tag"
(last = $< and: [ char = $/ ])
	ifTrue: [ aStream nextPutAll: '\/' ]  
	ifFalse: [ aStream nextPut: char ] ]

#726, the commit comment that removed this from Seaside 3.0 code mentions:

do we really have to encode </ as <\/?

• if it's inside a <script> it should work fine without it
• if it's inside anything other and <script> or <style> HTML escaping should kick in
• if it's inside an attribute value HTML escaping should kick in

[jbrichau]

Comment by @Rinzwind in the PR for the temporary fix: #1380 (comment)

There’s a note in section ‘4.12.1.3 Restrictions for contents of script elements’ in the HTML Living Standard which recommends escaping <!-- and <script as well. The following snippet is based on the example in the section, the page does not show ‘Test Paragraph’ as would be expected:

[jbrichau]

Temporary fix was in #1380
Opened draft PR #1381 to work on proper fix