From 5c9510c2b8260711f720aef9e1c8ee446662290a Mon Sep 17 00:00:00 2001
From: Hiroshi Ogawa <hi.ogawa.zz@gmail.com>
Date: Thu, 21 May 2026 11:43:47 +0900
Subject: [PATCH 1/2] fix(browser): escape inline orchestrator scripts

Co-authored-by: Codex <noreply@openai.com>
---
 packages/browser/src/node/serverOrchestrator.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/packages/browser/src/node/serverOrchestrator.ts b/packages/browser/src/node/serverOrchestrator.ts
index e730fad0c555..ff84adf4c9be 100644
--- a/packages/browser/src/node/serverOrchestrator.ts
+++ b/packages/browser/src/node/serverOrchestrator.ts
@@ -61,7 +61,7 @@ export async function resolveOrchestrator(
       for (const attr in script.attrs || {}) {
         html += `${attr}="${script.attrs![attr]}" `
       }
-      html += `>${script.children}</script>`
+      html += `>${escapeInlineScript(typeof script.children === 'string' ? script.children : '')}</script>`
       return html
     }).join('\n')
   }
@@ -96,8 +96,14 @@ export async function resolveOrchestrator(
     __VITEST_FAVICON__: globalServer.faviconUrl,
     __VITEST_TITLE__: 'Vitest Browser Runner',
     __VITEST_SCRIPTS__: globalServer.orchestratorScripts,
-    __VITEST_INJECTOR__: `<script type="module">${injector}</script>`,
+    __VITEST_INJECTOR__: `<script type="module">${escapeInlineScript(injector)}</script>`,
     __VITEST_ERROR_CATCHER__: `<script type="module" src="${globalServer.errorCatcherUrl}"></script>`,
     __VITEST_SESSION_ID__: JSON.stringify(sessionId),
   })
 }
+
+function escapeInlineScript(content: string): string {
+  return content
+    .replace(/<!--/g, '<\\!--')
+    .replace(/<\/(script)/gi, '</\\$1')
+}

From 9df55d8244cf8a7e65a47bc62e2c6d9209fcb34b Mon Sep 17 00:00:00 2001
From: Hiroshi Ogawa <hi.ogawa.zz@gmail.com>
Date: Thu, 21 May 2026 12:42:24 +0900
Subject: [PATCH 2/2] test: e2e

---
 .../fixtures/inline-script/basic.test.ts      |  5 ++++
 .../fixtures/inline-script/vite.config.ts     | 26 +++++++++++++++++++
 test/browser/specs/inline-script.test.ts      | 16 ++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 test/browser/fixtures/inline-script/basic.test.ts
 create mode 100644 test/browser/fixtures/inline-script/vite.config.ts
 create mode 100644 test/browser/specs/inline-script.test.ts

diff --git a/test/browser/fixtures/inline-script/basic.test.ts b/test/browser/fixtures/inline-script/basic.test.ts
new file mode 100644
index 000000000000..44d1db32faea
--- /dev/null
+++ b/test/browser/fixtures/inline-script/basic.test.ts
@@ -0,0 +1,5 @@
+import { expect, inject, test } from 'vitest'
+
+test('provide', () => {
+  expect(inject('someKey' as never)).toBe('</script><h1>inject1</h1><!--')
+})
diff --git a/test/browser/fixtures/inline-script/vite.config.ts b/test/browser/fixtures/inline-script/vite.config.ts
new file mode 100644
index 000000000000..75f7b8fb9f94
--- /dev/null
+++ b/test/browser/fixtures/inline-script/vite.config.ts
@@ -0,0 +1,26 @@
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+import { defineConfig } from 'vitest/config'
+import { instances, provider } from '../../settings'
+
+export default defineConfig({
+  cacheDir: path.join(
+    path.dirname(fileURLToPath(import.meta.url)),
+    'node_modules/.vite'
+  ),
+  test: {
+    browser: {
+      enabled: true,
+      provider,
+      instances: [instances[0]],
+      orchestratorScripts: [
+        {
+          content: 'globalThis.__injected = "</script><h1>inject2</h1><!--"',
+        },
+      ],
+    },
+    provide: {
+      someKey: "</script><h1>inject1</h1><!--",
+    },
+  },
+})
diff --git a/test/browser/specs/inline-script.test.ts b/test/browser/specs/inline-script.test.ts
new file mode 100644
index 000000000000..be0e2e15a7b0
--- /dev/null
+++ b/test/browser/specs/inline-script.test.ts
@@ -0,0 +1,16 @@
+import { expect, test } from 'vitest'
+import { runBrowserTests } from './utils'
+
+test('escape inline script', async () => {
+  const result = await runBrowserTests({
+    root: './fixtures/inline-script',
+  })
+  expect(result.stderr).toMatchInlineSnapshot(`""`)
+  expect(result.errorTree()).toMatchInlineSnapshot(`
+    {
+      "basic.test.ts": {
+        "provide": "passed",
+      },
+    }
+  `)
+})