Changeset 60681 for trunk/src/wp-admin/includes/class-wp-privacy-policy-content.php

Timestamp:

08/27/2025 10:32:57 AM (4 months ago)

Author:

jonsurrell

Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:

• trunk/src/wp-admin/includes/class-wp-privacy-policy-content.php (modified) (1 diff)

trunk/src/wp-admin/includes/class-wp-privacy-policy-content.php

@@ -349 +349 @@
                     'wp.data.dispatch( "core/notices" ).createWarningNotice( "%s", { actions: [ %s ], isDismissible: false } )',
                     $message,
-                    wp_json_encode( $action )
+                    wp_json_encode( $action, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                 ),
                 'after'