diff --git a/lib/runtime/AutoPublicPathRuntimeModule.js b/lib/runtime/AutoPublicPathRuntimeModule.js
index fcad7ea3a9a..74b40a1e883 100644
--- a/lib/runtime/AutoPublicPathRuntimeModule.js
+++ b/lib/runtime/AutoPublicPathRuntimeModule.js
@@ -50,7 +50,10 @@ class AutoPublicPathRuntimeModule extends RuntimeModule {
`var document = ${RuntimeGlobals.global}.document;`,
"if (!scriptUrl && document) {",
Template.indent([
- "if (document.currentScript)",
+ // Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
+ // but an attacker could try to inject ``
+ // and use `
`
+ "if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')",
Template.indent("scriptUrl = document.currentScript.src;"),
"if (!scriptUrl) {",
Template.indent([
diff --git a/test/Stats.test.js b/test/Stats.test.js
index 685b8d61162..a1965e4123c 100644
--- a/test/Stats.test.js
+++ b/test/Stats.test.js
@@ -190,10 +190,10 @@ describe("Stats", () => {
"assets": Array [
Object {
"name": "entryB.js",
- "size": 3010,
+ "size": 3060,
},
],
- "assetsSize": 3010,
+ "assetsSize": 3060,
"auxiliaryAssets": undefined,
"auxiliaryAssetsSize": 0,
"childAssets": undefined,
@@ -238,10 +238,10 @@ describe("Stats", () => {
"info": Object {
"javascriptModule": false,
"minimized": true,
- "size": 3010,
+ "size": 3060,
},
"name": "entryB.js",
- "size": 3010,
+ "size": 3060,
"type": "asset",
},
Object {
diff --git a/test/helpers/CurrentScript.js b/test/helpers/CurrentScript.js
index b198c1b583f..8feb610b6bd 100644
--- a/test/helpers/CurrentScript.js
+++ b/test/helpers/CurrentScript.js
@@ -2,6 +2,7 @@ class CurrentScript {
constructor(path = "", type = "text/javascript") {
this.src = `https://test.cases/path/${path}index.js`;
this.type = type;
+ this.tagName = "script";
}
}