Custom HTML with <script> incorrectly encodes '&' character

[talldanwp]

This was originally reported in the Gutenberg github repo (​https://github.com/WordPress/gutenberg/issues/13186), but during a triage session in slack was identified as a core bug (​https://wordpress.slack.com/archives/C02QB2JS7/p1579758213000600). #34698 is possibly related.

---

Describe the bug
If the javascript code in a <script> block contains an & operator, it will be converted to &#038, which browser flags as a syntax error. The script will not work.

I am using WP 5.0.2, Gutenberg updated Jan 3, 2019 (don't know where to find the version), hosted on easyWP.

Example:

<script>
  const hex = [];
  for (let i = 0; i < 256; i++) {
    hex[i] = (i < 16 ? '0' : '') + (i).toString(16);
  }
  function generateUUID() {
    const r = crypto.getRandomValues(new Uint8Array(16));
    r[6] = r[6] & 0x0f | 0x40;
    r[8] = r[8] & 0x3f | 0x80;
    const h = Array.from(r).map(i => hex[i]);
    return `${h[0]}${h[1]}${h[2]}${h[3]}-${h[4]}${h[5]}-${h[6]}${h[7]}-${h[8]}${h[9]}-${h[10]}${h[11]}${h[12]}${h[13]}${h[14]}${h[15]}`;
  }
</script>

To Reproduce
Steps to reproduce the behavior:

1. Go to a Page
2. Click on 'add Custom HTML'
3. Paste the above HTML <script> snippet into the block.
4. Preview the change
5. Open the JavaScript console. You will see a syntax error: "Invalid Character: '#'":

    r[6] = r[6] & 0x0f | 0x40;
    r[8] = r[8] & 0x3f | 0x80;

Expected behavior
I expect no syntax errors. The script should be rendered without any encoding of characters.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Mac OS X 10.14
• Browser chrome and safari
• Version chrome 71.0.3578.98

[sabernhardt]

This was reported as early as #43785, so I'll close as a duplicate.