Changeset 60681

Timestamp:

08/27/2025 10:32:57 AM (8 weeks ago)

Author:

jonsurrell

Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

Location:

trunk

Files:

• src/wp-admin/async-upload.php (modified) (1 diff)
• src/wp-admin/customize.php (modified) (2 diffs)
• src/wp-admin/edit-form-blocks.php (modified) (5 diffs)
• src/wp-admin/includes/class-wp-internal-pointers.php (modified) (1 diff)
• src/wp-admin/includes/class-wp-list-table.php (modified) (1 diff)
• src/wp-admin/includes/class-wp-privacy-policy-content.php (modified) (1 diff)
• src/wp-admin/includes/class-wp-themes-list-table.php (modified) (1 diff)
• src/wp-admin/includes/media.php (modified) (2 diffs)
• src/wp-admin/includes/misc.php (modified) (1 diff)
• src/wp-admin/includes/options.php (modified) (1 diff)
• src/wp-admin/includes/post.php (modified) (1 diff)
• src/wp-admin/includes/template.php (modified) (1 diff)
• src/wp-admin/plugin-editor.php (modified) (1 diff)
• src/wp-admin/site-editor.php (modified) (4 diffs)
• src/wp-admin/theme-editor.php (modified) (1 diff)
• src/wp-admin/widgets-form-blocks.php (modified) (4 diffs)
• src/wp-content/themes/twentytwenty/functions.php (modified) (1 diff)
• src/wp-includes/class-wp-customize-manager.php (modified) (6 diffs)
• src/wp-includes/class-wp-customize-nav-menus.php (modified) (2 diffs)
• src/wp-includes/class-wp-customize-widgets.php (modified) (6 diffs)
• src/wp-includes/class-wp-script-modules.php (modified) (1 diff)
• src/wp-includes/class-wp-scripts.php (modified) (1 diff)
• src/wp-includes/customize/class-wp-customize-selective-refresh.php (modified) (1 diff)
• src/wp-includes/general-template.php (modified) (1 diff)
• src/wp-includes/media.php (modified) (2 diffs)
• src/wp-includes/script-loader.php (modified) (7 diffs)
• src/wp-includes/speculative-loading.php (modified) (1 diff)
• src/wp-includes/theme-previews.php (modified) (2 diffs)
• src/wp-includes/theme.php (modified) (1 diff)
• src/wp-includes/widgets/class-wp-widget-custom-html.php (modified) (3 diffs)
• src/wp-includes/widgets/class-wp-widget-media-audio.php (modified) (2 diffs)
• src/wp-includes/widgets/class-wp-widget-media-gallery.php (modified) (2 diffs)
• src/wp-includes/widgets/class-wp-widget-media-image.php (modified) (2 diffs)
• src/wp-includes/widgets/class-wp-widget-media-video.php (modified) (2 diffs)
• src/wp-includes/widgets/class-wp-widget-text.php (modified) (1 diff)
• tests/phpunit/tests/dependencies/wpLocalizeScript.php (modified) (2 diffs)

trunk/src/wp-admin/async-upload.php

@@ -146 +146 @@
     );
 
-    echo '<script>_.delay(function() {wp.a11y.speak(' . wp_json_encode( $speak_message ) . ");}, 1500);jQuery( 'button#{$button_unique_id}' ).on( 'click', function() {jQuery(this).parents('div.media-item').slideUp(200, function(){jQuery(this).remove();wp.a11y.speak( wp.i18n.__( 'Error dismissed.' ) );jQuery( '#plupload-browse-button' ).trigger( 'focus' );})});</script>\n";
+    echo '<script>_.delay(function() {wp.a11y.speak(' . wp_json_encode( $speak_message, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ");}, 1500);jQuery( 'button#{$button_unique_id}' ).on( 'click', function() {jQuery(this).parents('div.media-item').slideUp(200, function(){jQuery(this).remove();wp.a11y.speak( wp.i18n.__( 'Error dismissed.' ) );jQuery( '#plupload-browse-button' ).trigger( 'focus' );})});</script>\n";
     exit;
 }

trunk/src/wp-admin/customize.php

@@ -63 +63 @@
         <?php wp_print_scripts( array( 'wp-util' ) ); ?>
         <script>
-            wp.ajax.post( 'customize_save', <?php echo wp_json_encode( $request_args ); ?> );
+            wp.ajax.post( 'customize_save', <?php echo wp_json_encode( $request_args, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> );
         </script>
         <?php
@@ -159 +159 @@
 
 <script type="text/javascript">
-var ajaxurl = <?php echo wp_json_encode( admin_url( 'admin-ajax.php', 'relative' ) ); ?>,
+var ajaxurl = <?php echo wp_json_encode( admin_url( 'admin-ajax.php', 'relative' ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>,
     pagenow = 'customize';
 </script>

trunk/src/wp-admin/edit-form-blocks.php

@@ -116 +116 @@
 wp_add_inline_script(
     'wp-blocks',
-    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $post ) ) ),
+    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $post ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
     'after'
 );
@@ -145 +145 @@
 wp_add_inline_script(
     'wp-blocks',
-    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings() ) . ');'
+    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ');'
 );
 
@@ -159 +159 @@
         );
     }
-    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources ) );
+    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
     wp_add_inline_script(
         'wp-blocks',
@@ -179 +179 @@
 wp_add_inline_script(
     'wp-editor',
-    sprintf( 'var _wpMetaBoxUrl = %s;', wp_json_encode( $meta_box_url ) ),
+    sprintf( 'var _wpMetaBoxUrl = %s;', wp_json_encode( $meta_box_url, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
     'before'
 );
@@ -365 +365 @@
     $post->post_type,
     $post->ID,
-    wp_json_encode( $editor_settings ),
-    wp_json_encode( $initial_edits )
+    wp_json_encode( $editor_settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+    wp_json_encode( $initial_edits, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
 );
 wp_add_inline_script( 'wp-edit-post', $script );

trunk/src/wp-admin/includes/class-wp-internal-pointers.php

@@ -121 +121 @@
         <script type="text/javascript">
         (function($){
-            var options = <?php echo wp_json_encode( $args ); ?>, setup;
+            var options = <?php echo wp_json_encode( $args, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>, setup;
 
             if ( ! options )

trunk/src/wp-admin/includes/class-wp-list-table.php

@@ -1872 +1872 @@
         );
 
-        printf( "<script type='text/javascript'>list_args = %s;</script>\n", wp_json_encode( $args ) );
+        printf( "<script type='text/javascript'>list_args = %s;</script>\n", wp_json_encode( $args, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
     }
 }

trunk/src/wp-admin/includes/class-wp-privacy-policy-content.php

@@ -349 +349 @@
                     'wp.data.dispatch( "core/notices" ).createWarningNotice( "%s", { actions: [ %s ], isDismissible: false } )',
                     $message,
-                    wp_json_encode( $action )
+                    wp_json_encode( $action, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                 ),
                 'after'

trunk/src/wp-admin/includes/class-wp-themes-list-table.php

@@ -358 +358 @@
         }
 
-        printf( "<script type='text/javascript'>var theme_list_args = %s;</script>\n", wp_json_encode( $args ) );
+        printf( "<script type='text/javascript'>var theme_list_args = %s;</script>\n", wp_json_encode( $args, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
         parent::_js_vars();
     }

trunk/src/wp-admin/includes/media.php

@@ -275 +275 @@
     <script type="text/javascript">
     var win = window.dialogArguments || opener || parent || top;
-    win.send_to_editor( <?php echo wp_json_encode( $html ); ?> );
+    win.send_to_editor( <?php echo wp_json_encode( $html, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> );
     </script>
     <?php
@@ -2237 +2237 @@
     ?>
     var resize_height = <?php echo $large_size_h; ?>, resize_width = <?php echo $large_size_w; ?>,
-    wpUploaderInit = <?php echo wp_json_encode( $plupload_init ); ?>;
+    wpUploaderInit = <?php echo wp_json_encode( $plupload_init, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
     </script>
 

trunk/src/wp-admin/includes/misc.php

@@ -1086 +1086 @@
     }
 
-    echo '<script type="text/javascript">var _wpColorScheme = ' . wp_json_encode( array( 'icons' => $icon_colors ) ) . ";</script>\n";
+    echo '<script type="text/javascript">var _wpColorScheme = ' . wp_json_encode( array( 'icons' => $icon_colors ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ";</script>\n";
 }
 

trunk/src/wp-admin/includes/options.php

@@ -38 +38 @@
         var $siteName = $( '#wp-admin-bar-site-name' ).children( 'a' ).first(),
             $siteIconPreview = $('#site-icon-preview-site-title'),
-            homeURL = ( <?php echo wp_json_encode( get_home_url() ); ?> || '' ).replace( /^(https?:\/\/)?(www\.)?/, '' );
+            homeURL = ( <?php echo wp_json_encode( get_home_url(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> || '' ).replace( /^(https?:\/\/)?(www\.)?/, '' );
 
         $( '#blogname' ).on( 'input', function() {

trunk/src/wp-admin/includes/post.php

@@ -2443 +2443 @@
      */
     $script = 'window._wpLoadBlockEditor.then( function() {
-        wp.data.dispatch( \'core/edit-post\' ).setAvailableMetaBoxesPerLocation( ' . wp_json_encode( $meta_boxes_per_location ) . ' );
+        wp.data.dispatch( \'core/edit-post\' ).setAvailableMetaBoxesPerLocation( ' . wp_json_encode( $meta_boxes_per_location, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ' );
     } );';
 

trunk/src/wp-admin/includes/template.php

@@ -2480 +2480 @@
     ?>
     <script type="text/javascript">
-    var compressionNonce = <?php echo wp_json_encode( wp_create_nonce( 'update_can_compress_scripts' ) ); ?>;
+    var compressionNonce = <?php echo wp_json_encode( wp_create_nonce( 'update_can_compress_scripts' ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
     var testCompression = {
         get : function(test) {

trunk/src/wp-admin/plugin-editor.php

@@ -161 +161 @@
 );
 wp_enqueue_script( 'wp-theme-plugin-editor' );
-wp_add_inline_script( 'wp-theme-plugin-editor', sprintf( 'jQuery( function( $ ) { wp.themePluginEditor.init( $( "#template" ), %s ); } )', wp_json_encode( $settings ) ) );
+wp_add_inline_script( 'wp-theme-plugin-editor', sprintf( 'jQuery( function( $ ) { wp.themePluginEditor.init( $( "#template" ), %s ); } )', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
 wp_add_inline_script( 'wp-theme-plugin-editor', sprintf( 'wp.themePluginEditor.themeOrPlugin = "plugin";' ) );
 

trunk/src/wp-admin/site-editor.php

@@ -258 +258 @@
             wp.editSite.initializeEditor( "site-editor", %s );
         } );',
-        wp_json_encode( $editor_settings )
+        wp_json_encode( $editor_settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
     )
 );
@@ -265 +265 @@
 wp_add_inline_script(
     'wp-blocks',
-    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings() ) . ');'
+    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ');'
 );
 
@@ -279 +279 @@
         );
     }
-    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources ) );
+    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
     wp_add_inline_script(
         'wp-blocks',
@@ -288 +288 @@
 wp_add_inline_script(
     'wp-blocks',
-    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( isset( $editor_settings['blockCategories'] ) ? $editor_settings['blockCategories'] : array() ) ),
+    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( isset( $editor_settings['blockCategories'] ) ? $editor_settings['blockCategories'] : array(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
     'after'
 );

trunk/src/wp-admin/theme-editor.php

@@ -147 +147 @@
 );
 wp_enqueue_script( 'wp-theme-plugin-editor' );
-wp_add_inline_script( 'wp-theme-plugin-editor', sprintf( 'jQuery( function( $ ) { wp.themePluginEditor.init( $( "#template" ), %s ); } )', wp_json_encode( $settings ) ) );
+wp_add_inline_script( 'wp-theme-plugin-editor', sprintf( 'jQuery( function( $ ) { wp.themePluginEditor.init( $( "#template" ), %s ); } )', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
 wp_add_inline_script( 'wp-theme-plugin-editor', 'wp.themePluginEditor.themeOrPlugin = "theme";' );
 

trunk/src/wp-admin/widgets-form-blocks.php

@@ -42 +42 @@
             wp.editWidgets.initialize( "widgets-editor", %s );
         } );',
-        wp_json_encode( $editor_settings )
+        wp_json_encode( $editor_settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
     )
 );
@@ -49 +49 @@
 wp_add_inline_script(
     'wp-blocks',
-    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings() ) . ');'
+    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ');'
 );
 
@@ -63 +63 @@
         );
     }
-    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources ) );
+    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
     wp_add_inline_script(
         'wp-blocks',
@@ -72 +72 @@
 wp_add_inline_script(
     'wp-blocks',
-    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $block_editor_context ) ) ),
+    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $block_editor_context ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
     'after'
 );

trunk/src/wp-content/themes/twentytwenty/functions.php

@@ -685 +685 @@
         sprintf(
             'wp.customize.selectiveRefresh.partialConstructor[ %1$s ].prototype.attrs = %2$s;',
-            wp_json_encode( 'cover_opacity' ),
-            wp_json_encode( twentytwenty_customize_opacity_range() )
+            wp_json_encode( 'cover_opacity', JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+            wp_json_encode( twentytwenty_customize_opacity_range(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
         )
     );

trunk/src/wp-includes/class-wp-customize-manager.php

@@ -477 +477 @@
                 var preview = new api.Messenger( settings.messengerArgs );
                 preview.send( 'iframe-loading-error', settings.error );
-            } )( wp.customize, <?php echo wp_json_encode( $settings ); ?> );
+            } )( wp.customize, <?php echo wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> );
             </script>
             <?php
@@ -2206 +2206 @@
         ?>
         <script>
-            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
+            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
             _wpCustomizeSettings.values = {};
             (function( v ) {
@@ -2219 +2219 @@
                         printf(
                             "v[%s] = %s;\n",
-                            wp_json_encode( $id ),
-                            wp_json_encode( $setting->js_value() )
+                            wp_json_encode( $id, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                            wp_json_encode( $setting->js_value(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                         );
                     }
@@ -4989 +4989 @@
         ?>
         <script>
-            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
+            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
             _wpCustomizeSettings.initialClientTimestamp = _.now();
             _wpCustomizeSettings.controls = {};
@@ -5001 +5001 @@
                     printf(
                         "s[%s] = %s;\n",
-                        wp_json_encode( $setting->id ),
-                        wp_json_encode( $setting->json() )
+                        wp_json_encode( $setting->id, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                        wp_json_encode( $setting->json(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                     );
                 }
@@ -5014 +5014 @@
                     printf(
                         "c[%s] = %s;\n",
-                        wp_json_encode( $control->id ),
-                        wp_json_encode( $control->json() )
+                        wp_json_encode( $control->id, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                        wp_json_encode( $control->json(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                     );
                 }

trunk/src/wp-includes/class-wp-customize-nav-menus.php

@@ -546 +546 @@
         );
 
-        $data = sprintf( 'var _wpCustomizeNavMenusSettings = %s;', wp_json_encode( $settings ) );
+        $data = sprintf( 'var _wpCustomizeNavMenusSettings = %s;', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
         wp_scripts()->add_data( 'customize-nav-menus', 'data', $data );
 
@@ -1549 +1549 @@
             'navMenuInstanceArgs' => $this->preview_nav_menu_instance_args,
         );
-        wp_print_inline_script_tag( sprintf( 'var _wpCustomizePreviewNavMenusExports = %s;', wp_json_encode( $exports ) ) );
+        wp_print_inline_script_tag( sprintf( 'var _wpCustomizePreviewNavMenusExports = %s;', wp_json_encode( $exports, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
     }
 

trunk/src/wp-includes/class-wp-customize-widgets.php

@@ -833 +833 @@
             'customize-widgets',
             'data',
-            sprintf( 'var _wpCustomizeWidgetsSettings = %s;', wp_json_encode( $settings ) )
+            sprintf( 'var _wpCustomizeWidgetsSettings = %s;', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) )
         );
 
@@ -860 +860 @@
                        wp.customizeWidgets.initialize( "widgets-customizer", %s );
                     } );',
-                    wp_json_encode( $editor_settings )
+                    wp_json_encode( $editor_settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                 )
             );
@@ -867 +867 @@
             wp_add_inline_script(
                 'wp-blocks',
-                'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings() ) . ');'
+                'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ');'
             );
 
@@ -881 +881 @@
                     );
                 }
-                $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources ) );
+                $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
                 wp_add_inline_script(
                     'wp-blocks',
@@ -890 +890 @@
             wp_add_inline_script(
                 'wp-blocks',
-                sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $block_editor_context ) ) ),
+                sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $block_editor_context ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
                 'after'
             );
@@ -1335 +1335 @@
         }
         wp_print_inline_script_tag(
-            sprintf( 'var _wpWidgetCustomizerPreviewSettings = %s;', wp_json_encode( $settings ) )
+            sprintf( 'var _wpWidgetCustomizerPreviewSettings = %s;', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) )
         );
     }

trunk/src/wp-includes/class-wp-script-modules.php

@@ -249 +249 @@
         if ( ! empty( $import_map['imports'] ) ) {
             wp_print_inline_script_tag(
-                wp_json_encode( $import_map, JSON_HEX_TAG | JSON_HEX_AMP ),
+                wp_json_encode( $import_map, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
                 array(
                     'type' => 'importmap',

trunk/src/wp-includes/class-wp-scripts.php

@@ -597 +597 @@
         }
 
-        $script = "var $object_name = " . wp_json_encode( $l10n ) . ';';
+        $script = "var $object_name = " . wp_json_encode( $l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';';
 
         if ( ! empty( $after ) ) {

trunk/src/wp-includes/customize/class-wp-customize-selective-refresh.php

@@ -194 +194 @@
 
         // Export data to JS.
-        wp_print_inline_script_tag( sprintf( 'var _customizePartialRefreshExports = %s;', wp_json_encode( $exports ) ) );
+        wp_print_inline_script_tag( sprintf( 'var _customizePartialRefreshExports = %s;', wp_json_encode( $exports, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
     }
 

trunk/src/wp-includes/general-template.php

@@ -4067 +4067 @@
     }
 
-    wp_add_inline_script( 'code-editor', sprintf( 'jQuery.extend( wp.codeEditor.defaultSettings, %s );', wp_json_encode( $settings ) ) );
+    wp_add_inline_script( 'code-editor', sprintf( 'jQuery.extend( wp.codeEditor.defaultSettings, %s );', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
 
     /**

trunk/src/wp-includes/media.php

@@ -3275 +3275 @@
     </ol>
     </noscript>
-    <script type="application/json" class="wp-playlist-script"><?php echo wp_json_encode( $data ); ?></script>
+    <script type="application/json" class="wp-playlist-script"><?php echo wp_json_encode( $data, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?></script>
 </div>
     <?php
@@ -4436 +4436 @@
     );
 
-    $script = 'var _wpPluploadSettings = ' . wp_json_encode( $settings ) . ';';
+    $script = 'var _wpPluploadSettings = ' . wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';';
 
     if ( $data ) {

trunk/src/wp-includes/script-loader.php

@@ -160 +160 @@
                         'LLLL' => null,
                     ),
-                )
+                ),
+                JSON_HEX_TAG | JSON_UNESCAPED_SLASHES
             )
         ),
@@ -385 +386 @@
                 wp.data.dispatch( preferencesStore ).setPersistenceLayer( persistenceLayer );
             } ) ();',
-            wp_json_encode( $preload_data ),
+            wp_json_encode( $preload_data, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
             $user_id
         )
@@ -478 +479 @@
                         'abbr'            => $timezone_abbr,
                     ),
-                )
+                ),
+                JSON_HEX_TAG | JSON_UNESCAPED_SLASHES
             )
         ),
@@ -641 +643 @@
     $script = 'window.wpEditorL10n = {
         tinymce: {
-            baseURL: ' . wp_json_encode( includes_url( 'js/tinymce' ) ) . ',
+            baseURL: ' . wp_json_encode( includes_url( 'js/tinymce' ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ',
             suffix: ' . ( SCRIPT_DEBUG ? '""' : '".min"' ) . ',
             settings: ' . $init_obj . ',
@@ -1156 +1158 @@
                         'mejs.yiddish'             => __( 'Yiddish' ),
                     ),
-                )
+                ),
+                JSON_HEX_TAG | JSON_UNESCAPED_SLASHES
             )
         ),
@@ -2000 +2003 @@
             'firstDay'        => absint( get_option( 'start_of_week' ) ),
             'isRTL'           => $wp_locale->is_rtl(),
-        )
+        ),
+        JSON_HEX_TAG | JSON_UNESCAPED_SLASHES
     );
 
@@ -2810 +2814 @@
                 '   wp.blocks.registerBlockStyle( \'%s\', %s );',
                 $block_name,
-                wp_json_encode( $block_style )
+                wp_json_encode( $block_style, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             );
         }

trunk/src/wp-includes/speculative-loading.php

@@ -248 +248 @@
     wp_print_inline_script_tag(
         (string) wp_json_encode(
-            $speculation_rules
+            $speculation_rules,
+            JSON_HEX_TAG | JSON_UNESCAPED_SLASHES
         ),
         array( 'type' => 'speculationrules' )

trunk/src/wp-includes/theme-previews.php

@@ -50 +50 @@
         sprintf(
             'wp.apiFetch.use( wp.apiFetch.createThemePreviewMiddleware( %s ) );',
-            wp_json_encode( sanitize_text_field( wp_unslash( $_GET['wp_theme_preview'] ) ) )
+            wp_json_encode( sanitize_text_field( wp_unslash( $_GET['wp_theme_preview'] ) ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
         ),
         'after'
@@ -71 +71 @@
     ?>
     <script type="text/javascript">
-        window.WP_BLOCK_THEME_ACTIVATE_NONCE = <?php echo wp_json_encode( wp_create_nonce( $nonce_handle ) ); ?>;
+        window.WP_BLOCK_THEME_ACTIVATE_NONCE = <?php echo wp_json_encode( wp_create_nonce( $nonce_handle ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
     </script>
     <?php

trunk/src/wp-includes/theme.php

@@ -3749 +3749 @@
     );
 
-    $script = 'var _wpCustomizeLoaderSettings = ' . wp_json_encode( $settings ) . ';';
+    $script = 'var _wpCustomizeLoaderSettings = ' . wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';';
 
     $wp_scripts = wp_scripts();

trunk/src/wp-includes/widgets/class-wp-widget-custom-html.php

@@ -216 +216 @@
 
         wp_enqueue_script( 'custom-html-widgets' );
-        wp_add_inline_script( 'custom-html-widgets', sprintf( 'wp.customHtmlWidgets.idBases.push( %s );', wp_json_encode( $this->id_base ) ) );
+        wp_add_inline_script( 'custom-html-widgets', sprintf( 'wp.customHtmlWidgets.idBases.push( %s );', wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
 
         if ( empty( $settings ) ) {
@@ -223 +223 @@
             );
         }
-        wp_add_inline_script( 'custom-html-widgets', sprintf( 'wp.customHtmlWidgets.init( %s );', wp_json_encode( $settings ) ), 'after' );
+        wp_add_inline_script( 'custom-html-widgets', sprintf( 'wp.customHtmlWidgets.init( %s );', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ), 'after' );
 
         $l10n = array(
@@ -234 +234 @@
             ),
         );
-        wp_add_inline_script( 'custom-html-widgets', sprintf( 'jQuery.extend( wp.customHtmlWidgets.l10n, %s );', wp_json_encode( $l10n ) ), 'after' );
+        wp_add_inline_script( 'custom-html-widgets', sprintf( 'jQuery.extend( wp.customHtmlWidgets.l10n, %s );', wp_json_encode( $l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ), 'after' );
     }
 

trunk/src/wp-includes/widgets/class-wp-widget-media-audio.php

@@ -161 +161 @@
             sprintf(
                 'wp.mediaWidgets.modelConstructors[ %s ].prototype.schema = %s;',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $exported_schema )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $exported_schema, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );
@@ -173 +173 @@
                     wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n = _.extend( {}, wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n, %3$s );
                 ',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $this->widget_options['mime_type'] ),
-                wp_json_encode( $this->l10n )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->widget_options['mime_type'], JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );

trunk/src/wp-includes/widgets/class-wp-widget-media-gallery.php

@@ -149 +149 @@
             sprintf(
                 'wp.mediaWidgets.modelConstructors[ %s ].prototype.schema = %s;',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $exported_schema )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $exported_schema, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );
@@ -161 +161 @@
                     _.extend( wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n, %3$s );
                 ',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $this->widget_options['mime_type'] ),
-                wp_json_encode( $this->l10n )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->widget_options['mime_type'], JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );

trunk/src/wp-includes/widgets/class-wp-widget-media-image.php

@@ -324 +324 @@
             sprintf(
                 'wp.mediaWidgets.modelConstructors[ %s ].prototype.schema = %s;',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $exported_schema )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $exported_schema, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );
@@ -336 +336 @@
                     wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n = _.extend( {}, wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n, %3$s );
                 ',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $this->widget_options['mime_type'] ),
-                wp_json_encode( $this->l10n )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->widget_options['mime_type'], JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );

trunk/src/wp-includes/widgets/class-wp-widget-media-video.php

@@ -200 +200 @@
             sprintf(
                 'wp.mediaWidgets.modelConstructors[ %s ].prototype.schema = %s;',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $exported_schema )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $exported_schema, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );
@@ -212 +212 @@
                     wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n = _.extend( {}, wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n, %3$s );
                 ',
-                wp_json_encode( $this->id_base ),
-                wp_json_encode( $this->widget_options['mime_type'] ),
-                wp_json_encode( $this->l10n )
+                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->widget_options['mime_type'], JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                wp_json_encode( $this->l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
             )
         );

trunk/src/wp-includes/widgets/class-wp-widget-text.php

@@ -436 +436 @@
         wp_enqueue_media();
         wp_enqueue_script( 'text-widgets' );
-        wp_add_inline_script( 'text-widgets', sprintf( 'wp.textWidgets.idBases.push( %s );', wp_json_encode( $this->id_base ) ) );
+        wp_add_inline_script( 'text-widgets', sprintf( 'wp.textWidgets.idBases.push( %s );', wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
         wp_add_inline_script( 'text-widgets', 'wp.textWidgets.init();', 'after' );
     }

trunk/tests/phpunit/tests/dependencies/wpLocalizeScript.php

@@ -4 +4 @@
  * @group scripts
  */
-class Tests_Dependencies_LocalizeScript extends WP_UnitTestCase {
+class Tests_Dependencies_wpLocalizeScript extends WP_UnitTestCase {
     /**
      * @var WP_Scripts
@@ -39 +39 @@
         );
     }
+
+    /**
+     * Verifies that wp_localize_script() outputs safe JSON whe harmful data is provided.
+     *
+     * @ticket 63851
+     * @covers ::wp_localize_script
+     */
+    public function test_wp_localize_script_outputs_safe_json() {
+        add_theme_support( 'html5', array( 'script' ) );
+
+        $path     = '/test.js';
+        $base_url = site_url( $path );
+
+        wp_enqueue_script( 'test-script', $path, array(), null );
+        wp_localize_script( 'test-script', 'testData', array( '<!--' => '<script>' ) );
+
+        $output = get_echo( 'wp_print_scripts' );
+
+        $expected  = "<script id=\"test-script-js-extra\">\nvar testData = {\"\\u003C!--\":\"\\u003Cscript\\u003E\"};\n</script>\n";
+        $expected .= "<script src=\"{$base_url}\" id=\"test-script-js\"></script>\n";
+
+        $this->assertEqualHTML( $expected, $output );
+    }
 }