WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
08/27/2025 10:32:57 AM (8 months ago)
Author:
jonsurrell
Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/customize.php

    r59945 r60681  
    6363        <?php wp_print_scripts( array( 'wp-util' ) ); ?>
    6464        <script>
    65             wp.ajax.post( 'customize_save', <?php echo wp_json_encode( $request_args ); ?> );
     65            wp.ajax.post( 'customize_save', <?php echo wp_json_encode( $request_args, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> );
    6666        </script>
    6767        <?php
     
    159159
    160160<script type="text/javascript">
    161 var ajaxurl = <?php echo wp_json_encode( admin_url( 'admin-ajax.php', 'relative' ) ); ?>,
     161var ajaxurl = <?php echo wp_json_encode( admin_url( 'admin-ajax.php', 'relative' ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>,
    162162    pagenow = 'customize';
    163163</script>
Note: See TracChangeset for help on using the changeset viewer.