Make WordPress Core


Ignore:
Timestamp:
09/25/2023 09:03:19 PM (16 months ago)
Author:
westonruter
Message:

Script Loader: Use wp_get_script_tag() and wp_get_inline_script_tag()/wp_print_inline_script_tag() helper functions to output scripts on the frontend and login screen.

Using script tag helper functions allows plugins to employ the wp_script_attributes and wp_inline_script_attributes filters to inject the nonce attribute to apply Content Security Policy (e.g. Strict CSP). Use of helper functions also simplifies logic in WP_Scripts.

  • Update wp_get_inline_script_tag() to wrap inline script in CDATA blocks for XHTML-compatibility when not using HTML5.
  • Ensure the type attribute is printed first in wp_get_inline_script_tag() for back-compat.
  • Wrap existing <script> tags in output buffering to retain IDE supports.
  • In wp_get_inline_script_tag(), append the newline to $javascript before it is passed into the wp_inline_script_attributes filter so that the CSP hash can be computed properly.
  • In the_block_template_skip_link(), opt to enqueue the inline script rather than print it.
  • Add ext-php to composer.json under suggest as previously it was an undeclared dependency for running PHPUnit tests.
  • Update tests to rely on DOMDocument to compare script markup, normalizing unsemantic differences.

Props westonruter, spacedmonkey, flixos90, 10upsimon, dmsnell, mukesh27, joemcgill, swissspidy, azaozz.
Fixes #58664.
See #39941.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r56549 r56687  
    465465                'error'         => $ajax_message,
    466466            );
     467            $message .= ob_get_clean();
     468            ob_start();
    467469            ?>
    468470            <script>
     
    473475            </script>
    474476            <?php
    475             $message .= ob_get_clean();
     477            $message .= wp_get_inline_script_tag( str_replace( array( '<script>', '</script>' ), '', ob_get_clean() ) );
    476478        }
    477479
     
    20842086            return;
    20852087        }
     2088        ob_start();
    20862089        ?>
    20872090        <script>
     
    21072110        </script>
    21082111        <?php
     2112        wp_print_inline_script_tag( str_replace( array( '<script>', '</script>' ), '', ob_get_clean() ) );
    21092113    }
    21102114
     
    22022206        }
    22032207
     2208        ob_start();
    22042209        ?>
    2205         <script type="text/javascript">
     2210        <script>
    22062211            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
    22072212            _wpCustomizeSettings.values = {};
     
    22262231        </script>
    22272232        <?php
     2233        wp_print_inline_script_tag( str_replace( array( '<script>', '</script>' ), '', ob_get_clean() ) );
    22282234    }
    22292235
     
    49774983        }
    49784984
     4985        ob_start();
    49794986        ?>
    4980         <script type="text/javascript">
     4987        <script>
    49814988            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
    49824989            _wpCustomizeSettings.initialClientTimestamp = _.now();
     
    50135020        </script>
    50145021        <?php
     5022        wp_print_inline_script_tag( str_replace( array( '<script>', '</script>' ), '', ob_get_clean() ) );
    50155023    }
    50165024
Note: See TracChangeset for help on using the changeset viewer.