I've found yet another crappy ad with a script tag that does not exist at the top-level but inside another tag.

Test case:

<!DOCTYPE html>
<html>
<body>

<div id="placeholder"></div>
<script src="/clientscripts/crapLoader.js"></script>
<script>crapLoader.loadScript('./crap-ad.js', 'placeholder');</script>

</body>
</html>

crap-ad.js:

document.write('<div><scr'+'ipt>var x = 1;</scr'+'ipt><span>HTML</span><'+'/div>');

The correct output (without crapLoader) is:

<div><span>HTML</span></div>

With crapLoader the result is:

<div></div><span>HTML</span>

The "split" function works fine (with support.splitWithCapturingParentheses = true):

["<div>", "<script>var x = 1;</script>", "<span>HTML</span></div>"] 

The problem seems to be that later in the function "checkWriteBuffer" the HTML fragments are written to the document independently. I do not yet have an idea how to fix this issue.

[Btw, with support.splitWithCapturingParentheses = false the split does not work correctly, but that's another bug that is independent from this issue here:]

["<script>var x = 1;</script>", "<span>HTML</span></div>"]