Make WordPress Core


Ignore:
Timestamp:
09/25/2023 09:03:19 PM (5 months ago)
Author:
westonruter
Message:

Script Loader: Use wp_get_script_tag() and wp_get_inline_script_tag()/wp_print_inline_script_tag() helper functions to output scripts on the frontend and login screen.

Using script tag helper functions allows plugins to employ the wp_script_attributes and wp_inline_script_attributes filters to inject the nonce attribute to apply Content Security Policy (e.g. Strict CSP). Use of helper functions also simplifies logic in WP_Scripts.

  • Update wp_get_inline_script_tag() to wrap inline script in CDATA blocks for XHTML-compatibility when not using HTML5.
  • Ensure the type attribute is printed first in wp_get_inline_script_tag() for back-compat.
  • Wrap existing <script> tags in output buffering to retain IDE supports.
  • In wp_get_inline_script_tag(), append the newline to $javascript before it is passed into the wp_inline_script_attributes filter so that the CSP hash can be computed properly.
  • In the_block_template_skip_link(), opt to enqueue the inline script rather than print it.
  • Add ext-php to composer.json under suggest as previously it was an undeclared dependency for running PHPUnit tests.
  • Update tests to rely on DOMDocument to compare script markup, normalizing unsemantic differences.

Props westonruter, spacedmonkey, flixos90, 10upsimon, dmsnell, mukesh27, joemcgill, swissspidy, azaozz.
Fixes #58664.
See #39941.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/script-loader.php

    r56646 r56687  
    27882788function wp_get_script_tag( $attributes ) {
    27892789    if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
    2790         $attributes['type'] = 'text/javascript';
     2790        // Keep the type attribute as the first for legacy reasons (it has always been this way in core).
     2791        $attributes = array_merge(
     2792            array( 'type' => 'text/javascript' ),
     2793            $attributes
     2794        );
    27912795    }
    27922796    /**
     
    28312835 */
    28322836function wp_get_inline_script_tag( $javascript, $attributes = array() ) {
    2833     if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
    2834         $attributes['type'] = 'text/javascript';
    2835     }
     2837    $is_html5 = current_theme_supports( 'html5', 'script' ) || is_admin();
     2838    if ( ! isset( $attributes['type'] ) && ! $is_html5 ) {
     2839        // Keep the type attribute as the first for legacy reasons (it has always been this way in core).
     2840        $attributes = array_merge(
     2841            array( 'type' => 'text/javascript' ),
     2842            $attributes
     2843        );
     2844    }
     2845
     2846    // Ensure markup is XHTML compatible if not HTML5.
     2847    if ( ! $is_html5 ) {
     2848        $javascript = str_replace( ']]>', ']]]]><![CDATA[>', $javascript ); // Escape any existing CDATA section.
     2849        $javascript = sprintf( "/* <![CDATA[ */\n%s\n/* ]]> */", $javascript );
     2850    }
     2851
     2852    $javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
     2853
    28362854    /**
    28372855     * Filters attributes to be added to a script tag.
     
    28452863     */
    28462864    $attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $javascript );
    2847 
    2848     $javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
    28492865
    28502866    return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $javascript );
Note: See TracChangeset for help on using the changeset viewer.