Custom HTML with <script> incorrectly encodes & character

[mattbishop]

Describe the bug
If the javascript code in a <script> block contains an & operator, it will be converted to &#038, which browser flags as a syntax error. The script will not work.

I am using WP 5.0.2, Gutenberg updated Jan 3, 2019 (don't know where to find the version), hosted on easyWP.

Example:

<script>
  const hex = [];
  for (let i = 0; i < 256; i++) {
    hex[i] = (i < 16 ? '0' : '') + (i).toString(16);
  }
  function generateUUID() {
    const r = crypto.getRandomValues(new Uint8Array(16));
    r[6] = r[6] & 0x0f | 0x40;
    r[8] = r[8] & 0x3f | 0x80;
    const h = Array.from(r).map(i => hex[i]);
    return `${h[0]}${h[1]}${h[2]}${h[3]}-${h[4]}${h[5]}-${h[6]}${h[7]}-${h[8]}${h[9]}-${h[10]}${h[11]}${h[12]}${h[13]}${h[14]}${h[15]}`;
  }
</script>

To Reproduce
Steps to reproduce the behavior:

1. Go to a Page
2. Click on 'add Custom HTML'
3. Paste the above HTML <script> snippet into the block.
4. Preview the change
5. Open the JavaScript console. You will see a syntax error: "Invalid Character: '#'":

    r[6] = r[6] & 0x0f | 0x40;
    r[8] = r[8] & 0x3f | 0x80;

Expected behavior
I expect no syntax errors. The script should be rendered without any encoding of characters.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Mac OS X 10.14
• Browser chrome and safari
• Version chrome 71.0.3578.98

[mattbishop]

An interesting workaround WRT this snippet is to define the hex const after generateUUID(). This script block works as expected:

<script>
  function generateUUID() {
    const r = crypto.getRandomValues(new Uint8Array(16));
    r[6] = r[6] & 0x0f | 0x40;
    r[8] = r[8] & 0x3f | 0x80;
    const h = Array.from(r).map(i => hex[i]);
    return `${h[0]}${h[1]}${h[2]}${h[3]}-${h[4]}${h[5]}-${h[6]}${h[7]}-${h[8]}${h[9]}-${h[10]}${h[11]}${h[12]}${h[13]}${h[14]}${h[15]}`;
  }

  const hex = [];
  for (let i = 0; i < 256; i++) {
    hex[i] = (i < 16 ? '0' : '') + (i).toString(16);
  }
</script>

[finip]

i think the problem we have is the same. we used wp:html before. if I want to confirm the misplacement, you should have the same reason as wp:code.
the same question:
#13218

[meceware]

Hi,

This is still open with WP 5.1.1, Gutenberg updated.

[talldan]

This was identified as a WordPress core issue in a triage session (https://wordpress.slack.com/archives/C02QB2JS7/p1579758213000600).

I've reported this upstream in trac (https://core.trac.wordpress.org/ticket/49480).