WordPress.org

Make WordPress Core

Changeset 50409


Ignore:
Timestamp:
02/23/2021 01:58:21 AM (8 months ago)
Author:
peterwilsoncc
Message:

Security: move Content-Security-Policy script loaders.

Move wp_get_script_tag(), wp_print_script_tag(), wp_print_inline_script_tag() and wp_get_inline_script_tag() functions from functions.php to script-loader.php.

Relocate related tests to dependencies sub-directory.

Follow up to [50167].
Props adamsilverstein, hellofromTonya, SergeyBiryukov.
Fixes #39941.

Location:
trunk
Files:
2 edited
3 moved

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r50167 r50409  
    78677867    return abs( (float) $expected - (float) $actual ) <= $precision;
    78687868}
    7869 
    7870 /**
    7871  * Sanitizes an attributes array into an attributes string to be placed inside a `<script>` tag.
    7872  *
    7873  * Automatically injects type attribute if needed.
    7874  * Used by {@see wp_get_script_tag()} and {@see wp_get_inline_script_tag()}.
    7875  *
    7876  * @since 5.7.0
    7877  *
    7878  * @param array $attributes Key-value pairs representing `<script>` tag attributes.
    7879  * @return string String made of sanitized `<script>` tag attributes.
    7880  */
    7881 function wp_sanitize_script_attributes( $attributes ) {
    7882     $html5_script_support = ! is_admin() && ! current_theme_supports( 'html5', 'script' );
    7883     $attributes_string    = '';
    7884 
    7885     // If HTML5 script tag is supported, only the attribute name is added
    7886     // to $attributes_string for entries with a boolean value, and that are true.
    7887     foreach ( $attributes as $attribute_name => $attribute_value ) {
    7888         if ( is_bool( $attribute_value ) ) {
    7889             if ( $attribute_value ) {
    7890                 $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;
    7891             }
    7892         } else {
    7893             $attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );
    7894         }
    7895     }
    7896 
    7897     return $attributes_string;
    7898 }
    7899 
    7900 /**
    7901  * Formats `<script>` loader tags.
    7902  *
    7903  * It is possible to inject attributes in the `<script>` tag via the {@see 'wp_script_attributes'} filter.
    7904  * Automatically injects type attribute if needed.
    7905  *
    7906  * @since 5.7.0
    7907  *
    7908  * @param array $attributes Key-value pairs representing `<script>` tag attributes.
    7909  * @return string String containing `<script>` opening and closing tags.
    7910  */
    7911 function wp_get_script_tag( $attributes ) {
    7912     if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
    7913         $attributes['type'] = 'text/javascript';
    7914     }
    7915     /**
    7916      * Filters attributes to be added to a script tag.
    7917      *
    7918      * @since 5.7.0
    7919      *
    7920      * @param array $attributes Key-value pairs representing `<script>` tag attributes.
    7921      *                          Only the attribute name is added to the `<script>` tag for
    7922      *                          entries with a boolean value, and that are true.
    7923      */
    7924     $attributes = apply_filters( 'wp_script_attributes', $attributes );
    7925 
    7926     return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
    7927 }
    7928 
    7929 /**
    7930  * Prints formatted `<script>` loader tag.
    7931  *
    7932  * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
    7933  * Automatically injects type attribute if needed.
    7934  *
    7935  * @since 5.7.0
    7936  *
    7937  * @param array $attributes Key-value pairs representing `<script>` tag attributes.
    7938  */
    7939 function wp_print_script_tag( $attributes ) {
    7940     echo wp_get_script_tag( $attributes );
    7941 }
    7942 
    7943 /**
    7944  * Wraps inline JavaScript in `<script>` tag.
    7945  *
    7946  * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
    7947  * Automatically injects type attribute if needed.
    7948  *
    7949  * @since 5.7.0
    7950  *
    7951  * @param string $javascript Inline JavaScript code.
    7952  * @param array  $attributes  Optional. Key-value pairs representing `<script>` tag attributes.
    7953  * @return string String containing inline JavaScript code wrapped around `<script>` tag.
    7954  */
    7955 function wp_get_inline_script_tag( $javascript, $attributes = array() ) {
    7956     if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
    7957         $attributes['type'] = 'text/javascript';
    7958     }
    7959     /**
    7960      * Filters attributes to be added to a script tag.
    7961      *
    7962      * @since 5.7.0
    7963      *
    7964      * @param array $attributes Key-value pairs representing `<script>` tag attributes.
    7965      *                          Only the attribute name is added to the `<script>` tag for
    7966      *                          entries with a boolean value, and that are true.
    7967      */
    7968     $attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $javascript );
    7969 
    7970     $javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
    7971 
    7972     return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $javascript );
    7973 }
    7974 
    7975 /**
    7976  * Prints inline JavaScript wrapped in `<script>` tag.
    7977  *
    7978  * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
    7979  * Automatically injects type attribute if needed.
    7980  *
    7981  * @since 5.7.0
    7982  *
    7983  * @param string $javascript Inline JavaScript code.
    7984  * @param array  $attributes Optional. Key-value pairs representing `<script>` tag attributes.
    7985  */
    7986 function wp_print_inline_script_tag( $javascript, $attributes = array() ) {
    7987     echo wp_get_inline_script_tag( $javascript, $attributes );
    7988 }
  • trunk/src/wp-includes/script-loader.php

    r50294 r50409  
    23332333    wp_enqueue_style( 'wp-block-directory' );
    23342334}
     2335
     2336/**
     2337 * Sanitizes an attributes array into an attributes string to be placed inside a `<script>` tag.
     2338 *
     2339 * Automatically injects type attribute if needed.
     2340 * Used by {@see wp_get_script_tag()} and {@see wp_get_inline_script_tag()}.
     2341 *
     2342 * @since 5.7.0
     2343 *
     2344 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2345 * @return string String made of sanitized `<script>` tag attributes.
     2346 */
     2347function wp_sanitize_script_attributes( $attributes ) {
     2348    $html5_script_support = ! is_admin() && ! current_theme_supports( 'html5', 'script' );
     2349    $attributes_string    = '';
     2350
     2351    // If HTML5 script tag is supported, only the attribute name is added
     2352    // to $attributes_string for entries with a boolean value, and that are true.
     2353    foreach ( $attributes as $attribute_name => $attribute_value ) {
     2354        if ( is_bool( $attribute_value ) ) {
     2355            if ( $attribute_value ) {
     2356                $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;
     2357            }
     2358        } else {
     2359            $attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );
     2360        }
     2361    }
     2362
     2363    return $attributes_string;
     2364}
     2365
     2366/**
     2367 * Formats `<script>` loader tags.
     2368 *
     2369 * It is possible to inject attributes in the `<script>` tag via the {@see 'wp_script_attributes'} filter.
     2370 * Automatically injects type attribute if needed.
     2371 *
     2372 * @since 5.7.0
     2373 *
     2374 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2375 * @return string String containing `<script>` opening and closing tags.
     2376 */
     2377function wp_get_script_tag( $attributes ) {
     2378    if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
     2379        $attributes['type'] = 'text/javascript';
     2380    }
     2381    /**
     2382     * Filters attributes to be added to a script tag.
     2383     *
     2384     * @since 5.7.0
     2385     *
     2386     * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2387     *                          Only the attribute name is added to the `<script>` tag for
     2388     *                          entries with a boolean value, and that are true.
     2389     */
     2390    $attributes = apply_filters( 'wp_script_attributes', $attributes );
     2391
     2392    return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
     2393}
     2394
     2395/**
     2396 * Prints formatted `<script>` loader tag.
     2397 *
     2398 * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
     2399 * Automatically injects type attribute if needed.
     2400 *
     2401 * @since 5.7.0
     2402 *
     2403 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2404 */
     2405function wp_print_script_tag( $attributes ) {
     2406    echo wp_get_script_tag( $attributes );
     2407}
     2408
     2409/**
     2410 * Wraps inline JavaScript in `<script>` tag.
     2411 *
     2412 * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
     2413 * Automatically injects type attribute if needed.
     2414 *
     2415 * @since 5.7.0
     2416 *
     2417 * @param string $javascript Inline JavaScript code.
     2418 * @param array  $attributes  Optional. Key-value pairs representing `<script>` tag attributes.
     2419 * @return string String containing inline JavaScript code wrapped around `<script>` tag.
     2420 */
     2421function wp_get_inline_script_tag( $javascript, $attributes = array() ) {
     2422    if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
     2423        $attributes['type'] = 'text/javascript';
     2424    }
     2425    /**
     2426     * Filters attributes to be added to a script tag.
     2427     *
     2428     * @since 5.7.0
     2429     *
     2430     * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2431     *                          Only the attribute name is added to the `<script>` tag for
     2432     *                          entries with a boolean value, and that are true.
     2433     */
     2434    $attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $javascript );
     2435
     2436    $javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
     2437
     2438    return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $javascript );
     2439}
     2440
     2441/**
     2442 * Prints inline JavaScript wrapped in `<script>` tag.
     2443 *
     2444 * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
     2445 * Automatically injects type attribute if needed.
     2446 *
     2447 * @since 5.7.0
     2448 *
     2449 * @param string $javascript Inline JavaScript code.
     2450 * @param array  $attributes Optional. Key-value pairs representing `<script>` tag attributes.
     2451 */
     2452function wp_print_inline_script_tag( $javascript, $attributes = array() ) {
     2453    echo wp_get_inline_script_tag( $javascript, $attributes );
     2454}
  • trunk/tests/phpunit/tests/dependencies/wpInlineScriptTag.php

    r50408 r50409  
    44 * Test wp_get_inline_script_tag() and wp_print_inline_script_tag().
    55 *
    6  * @group functions.php
     6 * @group dependencies
     7 * @group scripts
     8 * @covers ::wp_get_inline_script_tag
     9 * @covers ::wp_print_inline_script_tag
    710 */
    811class Tests_Functions_wpInlineScriptTag extends WP_UnitTestCase {
  • trunk/tests/phpunit/tests/dependencies/wpSanitizeScriptAttributes.php

    r50408 r50409  
    44 * Test wp_sanitize_script_attributes().
    55 *
    6  * @group functions.php
     6 * @group dependencies
     7 * @group scripts
     8 * @covers ::wp_sanitize_script_attributes
    79 */
    810class Tests_Functions_wpSanitizeScriptAttributes extends WP_UnitTestCase {
  • trunk/tests/phpunit/tests/dependencies/wpScriptTag.php

    r50408 r50409  
    44 * Test wp_get_script_tag() and wp_print_script_tag().
    55 *
    6  * @group functions.php
     6 * @group dependencies
     7 * @group scripts
    78 */
    89class Tests_Functions_wpScriptTag extends WP_UnitTestCase {
     
    3839    }
    3940
     41    /**
     42     * @covers ::wp_get_script_tag
     43     */
    4044    function test_get_script_tag_type_not_set() {
    4145        add_theme_support( 'html5', array( 'script' ) );
     
    5559    }
    5660
     61    /**
     62     * @covers ::wp_print_script_tag
     63     */
    5764    function test_print_script_tag_prints_get_script_tag() {
    5865        add_filter(
Note: See TracChangeset for help on using the changeset viewer.