WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
08/27/2025 10:32:57 AM (8 months ago)
Author:
jonsurrell
Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/edit-form-blocks.php

    r59958 r60681  
    116116wp_add_inline_script(
    117117    'wp-blocks',
    118     sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $post ) ) ),
     118    sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $post ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
    119119    'after'
    120120);
     
    145145wp_add_inline_script(
    146146    'wp-blocks',
    147     'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings() ) . ');'
     147    'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ');'
    148148);
    149149
     
    159159        );
    160160    }
    161     $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources ) );
     161    $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
    162162    wp_add_inline_script(
    163163        'wp-blocks',
     
    179179wp_add_inline_script(
    180180    'wp-editor',
    181     sprintf( 'var _wpMetaBoxUrl = %s;', wp_json_encode( $meta_box_url ) ),
     181    sprintf( 'var _wpMetaBoxUrl = %s;', wp_json_encode( $meta_box_url, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
    182182    'before'
    183183);
     
    365365    $post->post_type,
    366366    $post->ID,
    367     wp_json_encode( $editor_settings ),
    368     wp_json_encode( $initial_edits )
     367    wp_json_encode( $editor_settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
     368    wp_json_encode( $initial_edits, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
    369369);
    370370wp_add_inline_script( 'wp-edit-post', $script );
Note: See TracChangeset for help on using the changeset viewer.