Make WordPress Core


Ignore:
Timestamp:
02/23/2021 01:58:21 AM (4 years ago)
Author:
peterwilsoncc
Message:

Security: move Content-Security-Policy script loaders.

Move wp_get_script_tag(), wp_print_script_tag(), wp_print_inline_script_tag() and wp_get_inline_script_tag() functions from functions.php to script-loader.php.

Relocate related tests to dependencies sub-directory.

Follow up to [50167].
Props adamsilverstein, hellofromTonya, SergeyBiryukov.
Fixes #39941.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/script-loader.php

    r50294 r50409  
    23332333    wp_enqueue_style( 'wp-block-directory' );
    23342334}
     2335
     2336/**
     2337 * Sanitizes an attributes array into an attributes string to be placed inside a `<script>` tag.
     2338 *
     2339 * Automatically injects type attribute if needed.
     2340 * Used by {@see wp_get_script_tag()} and {@see wp_get_inline_script_tag()}.
     2341 *
     2342 * @since 5.7.0
     2343 *
     2344 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2345 * @return string String made of sanitized `<script>` tag attributes.
     2346 */
     2347function wp_sanitize_script_attributes( $attributes ) {
     2348    $html5_script_support = ! is_admin() && ! current_theme_supports( 'html5', 'script' );
     2349    $attributes_string    = '';
     2350
     2351    // If HTML5 script tag is supported, only the attribute name is added
     2352    // to $attributes_string for entries with a boolean value, and that are true.
     2353    foreach ( $attributes as $attribute_name => $attribute_value ) {
     2354        if ( is_bool( $attribute_value ) ) {
     2355            if ( $attribute_value ) {
     2356                $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;
     2357            }
     2358        } else {
     2359            $attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );
     2360        }
     2361    }
     2362
     2363    return $attributes_string;
     2364}
     2365
     2366/**
     2367 * Formats `<script>` loader tags.
     2368 *
     2369 * It is possible to inject attributes in the `<script>` tag via the {@see 'wp_script_attributes'} filter.
     2370 * Automatically injects type attribute if needed.
     2371 *
     2372 * @since 5.7.0
     2373 *
     2374 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2375 * @return string String containing `<script>` opening and closing tags.
     2376 */
     2377function wp_get_script_tag( $attributes ) {
     2378    if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
     2379        $attributes['type'] = 'text/javascript';
     2380    }
     2381    /**
     2382     * Filters attributes to be added to a script tag.
     2383     *
     2384     * @since 5.7.0
     2385     *
     2386     * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2387     *                          Only the attribute name is added to the `<script>` tag for
     2388     *                          entries with a boolean value, and that are true.
     2389     */
     2390    $attributes = apply_filters( 'wp_script_attributes', $attributes );
     2391
     2392    return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
     2393}
     2394
     2395/**
     2396 * Prints formatted `<script>` loader tag.
     2397 *
     2398 * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
     2399 * Automatically injects type attribute if needed.
     2400 *
     2401 * @since 5.7.0
     2402 *
     2403 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2404 */
     2405function wp_print_script_tag( $attributes ) {
     2406    echo wp_get_script_tag( $attributes );
     2407}
     2408
     2409/**
     2410 * Wraps inline JavaScript in `<script>` tag.
     2411 *
     2412 * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
     2413 * Automatically injects type attribute if needed.
     2414 *
     2415 * @since 5.7.0
     2416 *
     2417 * @param string $javascript Inline JavaScript code.
     2418 * @param array  $attributes  Optional. Key-value pairs representing `<script>` tag attributes.
     2419 * @return string String containing inline JavaScript code wrapped around `<script>` tag.
     2420 */
     2421function wp_get_inline_script_tag( $javascript, $attributes = array() ) {
     2422    if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
     2423        $attributes['type'] = 'text/javascript';
     2424    }
     2425    /**
     2426     * Filters attributes to be added to a script tag.
     2427     *
     2428     * @since 5.7.0
     2429     *
     2430     * @param array $attributes Key-value pairs representing `<script>` tag attributes.
     2431     *                          Only the attribute name is added to the `<script>` tag for
     2432     *                          entries with a boolean value, and that are true.
     2433     */
     2434    $attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $javascript );
     2435
     2436    $javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
     2437
     2438    return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $javascript );
     2439}
     2440
     2441/**
     2442 * Prints inline JavaScript wrapped in `<script>` tag.
     2443 *
     2444 * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
     2445 * Automatically injects type attribute if needed.
     2446 *
     2447 * @since 5.7.0
     2448 *
     2449 * @param string $javascript Inline JavaScript code.
     2450 * @param array  $attributes Optional. Key-value pairs representing `<script>` tag attributes.
     2451 */
     2452function wp_print_inline_script_tag( $javascript, $attributes = array() ) {
     2453    echo wp_get_inline_script_tag( $javascript, $attributes );
     2454}
Note: See TracChangeset for help on using the changeset viewer.